We just raised a $30M Series A: Read our story

Firewalls Configuration Reviews

Showing reviews of the top ranking products in Firewalls, containing the term Configuration
Juniper SRX: Configuration
Director - Technology Solutions & Services at Connectivity IT Services Private Limited

I consider the setup for the product to be very easy. A basic technical person can do it. But, a person would need to know the capability of a robust box like SRX to make full use of the capabilities and the right choice of the product.  

You install the box, configure the hostname, a password, and set your IP address. By default, Juniper handles the basic configurations automatically. The control frame architecture is very nice. The whole platform architecture is very good. When you work with that box, you just divide the box into two layers: the top layer and the bottom layer. The top layer is exclusively made for the SRX box. The bottom layer is nothing but throughput where the packets get in and get out. We call it a packet forwarding engine, PFE.  

Initiating the routing packets actually go in the mapping connection between the top and the bottom, which is managed as with Oracle in an internal zone. The box is already secured when an attack happens. Nothing is 100% in the world. So, there is the possibility of an attack but at least the control center protects your network.  

The entire installation is just a couple of hours. It depends on the Oracle sizing. Let's say that you want to work on the agility of SRX, something you really need to understand is where you are deploying this product. It is different if you are comparing an SRX box or the cloud. When you are using an SRX box will it be deployed for a small enterprise, a mid-size enterprise, and a data center. You can have SRX boxes for a large data center. That is a difference in the agility of Juniper SRX compared to Cisco. For example, when I work with the cloud, I have an SRX virtual firewall, which is a high-performance network security in the virtual cloud. It is especially good for rapid deployments. It hardly takes hours to deploy on the cloud.  

When you have a container with a firewall, it is known as cSRX. Which is again, a highly available container firewall. These are used especially for microservices. When you start with a small enterprise you start with either the SRX 300 series or a 500 series, which is a next-generation firewall. It is comparable to the Cisco ASA. Probably the next good product to compare is Check Point. But the SRX product is easier to manage and deploy when compared to Check Point or Cisco.  

For the mid-size enterprise organization, we have the SRX 1400 Series or you can consider the 4000 Series. It is just an appliance. You just plug it in, switch it on, configure the network IP address, and then start configuring the protocols. You enable the licenses there, malware prevention, and all the other features you want by just adding on to the licenses.  

So it is just a matter of choosing the right appliance and from there it is practically plug-and-play. The challenge is not the initial setup and deployment, it is what you make use of.  

View full review »
FK
Head Of Network & Technical Support at a financial services firm with 501-1,000 employees

The configuration is difficult and it should be easier.

View full review »
PD
Pre-Sales Analyst at a tech services company with 201-500 employees

The initial setup wasn't too complex. It was pretty straightforward. We didn't really face any problems during implementation.

The deployment takes about 20 minutes. This without the client tests and just the configuration and no validation. Everything that was necessary was applied, however, not with the tests as it took too much of the client's time, and would have took much longer.

View full review »
C.T.O at Sastra Network Solution Inc. Pvt. Ltd.

What I like most about Juniper is that it is a complete configuration.

The user interface is good.

View full review »
AG
Network Engineer & Cyber Security Analyst at a tech services company with 201-500 employees

The GUI of the solution is quite good. It's also very different from other solutions. On others, if you need to configure anything, you can do it all from the default gateway. Cisco, for example, has a bit of a more difficult process. Juniper's GUI is easier and it makes configuration easier.

Troubleshooting with the solution is quite easy. If you compare the process to, for example, Fortigate, Juniper is much easier.

The speed of the solution is very good.

The initial setup is very easy.

View full review »
RL
Senior Network Administrator at a manufacturing company with 201-500 employees

The reliability needs to be improved. We purchased three devices and all three have been replaced under RMA. We've had other problems where they have needed to be rebooted.

A couple of times I've run into the problems where they have to integrate with other systems. The Juniper support really doesn't have a clue about other systems. They know Juniper and if everything is Juniper then it's great. However, we have Windows RADIUS Servers and I need Juniper-specific settings for them. Unfortunately, they're having a real hard time telling me what those should be, and they keep referring back to it being Microsoft, which they don't support. When they say that I need to speak with Microsoft, I remind them that these are things that are defined in the Juniper configurations that I need to set up. They seem to forget that not everybody is exclusively Juniper.

View full review »
MR
Network Security Engineer at a tech services company with 201-500 employees

The IPSec configuration is going well.

View full review »
PJ
Senior Network Engineer at a tech services company with 10,001+ employees

I think it needs some automation. I have to find an API for Python and so on, which is quite different from a typical solution. Sometimes committing configurations takes a lot of time in Juniper because of the connections, and it could be a little bit faster. Their documentation could also be better.

View full review »
AB
IT System Engineer at a computer software company with 201-500 employees

The initial setup was straightforward. The time it takes to implement this solution depends on the complexity of the configuration.

View full review »
AV
Senior Consultant with 51-200 employees

When compared to Palo Alto, Juniper is a better choice when it comes to the enterprise network and connectivity.

Juniper SRX is pretty fast to configure and make it work.

Once it is configured, it's fine, which is not the case with other firewalls.

Juniper is user-friendly. It works perfectly well.

Upgrades are available.

Juniper SRX has a roll-back feature which is very interesting. As no one is perfect and mistakes do happen, we can roll it back to the previous configuration.

This solution can handle a lot. It's manageable when you know the parameters, the features, and the number of policies of your firewall.

View full review »
KC
Information Security Manager at a recruiting/HR firm with 201-500 employees

We have been in touch with support and they've been good. During the configuration stages, we had a couple of tickets and they were responsive to it.

View full review »
AP
System Administrator at a leisure / travel company with 51-200 employees

We had implemented two SRXs in high availability mode. They were used, generally, for firewall and NAT translation tables, for forwarding for services, and connecting branch offices. We have a constant internet connection, which is directly connected with the branch offices, in general. We didn't explicitly configure or use any specific SRX features regarding the filtering of URLs or something that a UTM could use, since Juniper has a more advanced configuration and, in general, a UI that's made for the customer.

View full review »
AK
Senior Manager (Engineering Department) at a comms service provider with 10,001+ employees

The installation is straightforward.

The time of the deployment depends on the complexity of the environment. If the customer requires HA deployment and the configuration could take longer time. On average, for a small-scale branch office, it can be completed within one day, which includes testing. If the customer does not have any special preference on the policy and they do not have any IP tunnels then it could be completed within half a day.

View full review »
Cisco ASA Firewall: Configuration
JF
Cisco Security Specialist at a tech services company with 10,001+ employees

My concern in the 21st century, with ASA, is the front-end. I think Cisco missed the mark with all the configuration steps. They are a pain and, when doing them, it looks as if we're using a very old technology — yet the technology itself is not old, it's very good. But the front-end configuration is very tough. They probably still make a good profit even with the front-end being difficult, but it's not easy. It's not user-friendly. All the configuration procedures are not user-friendly.

Also, they launched the 1000 series for SMBs. They have all the same features as the enterprise solutions, but the throughput is less and, obviously, the price is less as well. It's a very nice appliance. However, imagine you buy one, take it out of the box to connect it and the device needs one hour or two hours to start up. That is a pain and that is not appropriate for the 21st century. They should solve that issue.

Another issue is that when you integrate different Cisco solutions with each other, there is an overlap of features and you need to turn some of them off, and that is not very good.  If you don't, and you have overlap, you will have problems. Disabling the overlap can be done manually or the solution can identify that there is already a process running, and will tell you to please disable that function.

For today's threats, for today's reality, you need to add solutions to the ASA, either from Cisco or from other vendors, to have a full security solution in an enterprise company.

View full review »
AS
CSD Manager at BTC

The traffic inspection and the Firepower engine are the most valuable features. It gives you full details, application details, traffic monitoring, and the threats. It gives you all the containers the user is using, especially at the application level. The solution also provides application visibility and control.

The integration between the ASA and Cisco ISE is very easy because they are from the same vendor. We don't face any integration problems. This is one of the valuable points of Cisco firewalls. They can be easily integrated with different Cisco security products.

Our clients also use other products with Cisco ASA, such as Aruba ClearPass and different NAC solutions. The integration of these other products is also easy with Cisco. 

It integrates with email security and Firepower. For example, if you have an attached file infected or you have attacks through email, the traffic will be forwarded to the email security and it will be blocked by the firewall. It gives you a clear view of the file and it can be blocked at every stage, protecting your network from this threat.

One of the best parts is the traffic management and the inspection of the traffic packets. The Device Manager is easy to use to supervise things, and the Firepower application gives you clear threat detection and blocking of all threats. Cisco also provides a better analysis of the traffic.

In addition, Talos is an enhancement to Cisco firewalls, and provides a better view.

The device management options, such as Firepower Device Manager (FDM), Cisco Firepower Management Center (FMC), or Cisco Defense Orchestrator (CDO) add a lot of enhancements in the initial deployment and configuration. In migrating, they can help to create the migration configuration and they help in managing encryption and automation. They add a lot enhancements to the device. They make things easier. In the past, you had to use the CLI and you could not control all this. Now you have a GUI which provides visibility and you can easily integrate and make changes.

View full review »
LX
Network Specialist at a financial services firm with 501-1,000 employees

It's very good to get partner support if you're not very familiar with how Cisco works. Cisco Certified Partner support is a priority.

For application visibility and control we're using a WAN optimizer called Silver Peak.

To replace the firewalls within our data center we're planning to put in FMCs and FTDs. With the new FMCs what I like is that you don't need to log in to the firewalls directly. Whatever changes you do are done on your FMCs. That is a much needed improvement over the old ASAs. You can log in to the management center to make any configuration changes. 

There are two of us managing the ASAs in our company, myself and a colleague, and we are both network specialists. We plan to increase usage. We're a company of 650 employees and we also have consultants who are coming from outside to gain access to certain services on our network. We need to make provisions on the firewall for them.

View full review »
TR
Tier 2 Network Engineer at a comms service provider with 1,001-5,000 employees

One of the problems that we have had is the solution requires Java to work. This has caused some problems with the application visibility and control. When the Java works, it is good, but Java wasn't a good choice. I don't like the Java implementation. It can be difficult to work with sometimes.

If you use Cisco ASDM with the command line configuration, it can look a bit messy. We have some people who use them both. If you use one, it's not a problem. If you use both, it can be an issue.

View full review »
ON
Network & Systems Administrator at T-Systems

It's an almost perfect solution.

The configuration is very easy.

The management aspect of the product is very straightforward.

The solution offers very good protection. 

The user interface itself is very nice and quite intuitive.

View full review »
KS
CEO & Co-Founder at a tech services company with 51-200 employees

The configuration support is very good. You can find a lot of configuration samples and troubleshooting tips on the internet, which is very good.

View full review »
Executive Director at ict training and development center

We primarily use the solution for basic firewall configurations such as NAT, FORWARD PORT and Block TCP-UDP Port.

   

View full review »
EL
Technical Specialist, consultant at a computer software company with 10,001+ employees

The configuration capabilities and the integration with other tools are the most valuable features. 

I really like this product. Cisco is one of my favorite brands, and I always think Cisco solutions are very reliable, easy to configure, and very secure.

View full review »
VS
Lead System Engineer at a comms service provider with 201-500 employees

The initial setup was straightforward. 

It's easy to install and it doesn't take a lot of time for the initial configuration.

It took an hour to install.

View full review »
Systems Administrator\Ag. IT Manager at a construction company with 201-500 employees

Its configuration through GUI as well as CLI can be improved and made easier.

View full review »
JG
Gerente de Unidad at Redescomm, C.A.

The graphical interface should be improved to make the configuration easier, to do things with a single click.

There should be better integration with open-source products because some of our clients use them. It would be helpful if they integrated well.

View full review »
DS
Network Consulting Engineer at a comms service provider with 201-500 employees

I have not been in contact with technical support but I use the implementation guide. I have also used the community support and I think that it's okay. The information that I received about the configuration was good.

View full review »
Presales Engineer at a comms service provider with 51-200 employees

It would be ideal if the solution offered a web application firewall.

We've had some issues with stability.

The solution has some scalability limitations.

The firewall itself has become a bit dated.

The pricing on the solution is a bit high.

Some individuals find the setup and configuration challenging.

View full review »
Program director at a tech consulting company with 201-500 employees

It's easy for me to configure one because I have firewall configuration certifications. I don't know what someone with nothing in terms of experience would be able to do. 

It normally takes me a week to implement and deploy. I normally need a week and three people to do maintenance.

View full review »
SF
System Engineer at a tech services company with 501-1,000 employees

The configuration is an area that needs improvement.

In the next release, I would like to see the UI include or provide web access, and more integration.

View full review »
RW
Cyber Security Consultant at a tech services company with 51-200 employees

For a non-Cisco guy like me, there is quite a substantial amount of learning that needs to be done to actually understand how the products are. Some brands like FortiGate, require only an hour and 15 minutes to enable the product, to facilitate the basic requirements of connecting up the traffic and adding on the firewall router. For Cisco, there are levels of challenges because it's a hardened solution that sees a lot of restrictions right out of the box.

Without really understanding how it works, then there'll be a lot of confusion regarding the traffic, etc. You'll find yourself wondering if there are any security concerns if you alter it out-of-the-box. The management console is quite outdated; usually, a lot of configuration is through Commander. We really need to understand how to articulate the Cisco Commander to perform even the most basic feature.

View full review »
VG
Network Security Engineer at a tech services company with 51-200 employees

The Inline Mode configuration works really well, and ASA works very impressively.

View full review »
JD
Network Security Engineer at a tech services company with 1,001-5,000 employees

It lacks management. For me, it still doesn't have a proper management tool or GUI for configuration, logging, and visualization. Its management is not that easy. It is also not very flexible and easy to configure. They used to have a product called CSM, but it is no longer being developed. FortiGate is better than this solution in terms of GUI, flexibility, and user-friendliness.

View full review »
Network Engineer at LIAQUAT NATIONAL HOSPITAL & MEDIACAL COLLEGE

Cisco, obviously, gives you a great amount of reliability which comes in handy. The brand is recognized as being strong. 

Even in very big environments, Cisco comes in handy with configuration and offers reliability when it comes to managing multiple items on one platform. You are able to integrate Firepower and all AMP. With so many items to configure, I haven't yet done them all, however, I hope to.

It's great for securing the network. You learn a lot.

The initial setup is straightforward.

The solution is very stable.

The scalability of the solution is very good.

View full review »
Network security engineer at a tech services company with 1,001-5,000 employees

Cisco should work on ASDM. One of the biggest drawbacks of Cisco ASA is ASDM GUI. Cisco should improve the ASDM GUI. The configuration through ASDM is really difficult as compared to CLI. Sometimes when you are doing the configuration in ASDM, it suddenly crashes. It also crashes while pushing a policy. Cisco should really work on this.

View full review »
Co-Founder at Multitechservers

The initial setup was not overly complex or difficult. It was quite straightforward and very easy to implement. 

Deployment takes about 20 to 25 minutes. 

In terms of the implementation strategy, at first, we put up the appliances in the data center. After that, we connected it with the console. After connecting the console, we had an in-house engineer that assisted. Cisco provided us onboarding help and they configured our device for us. We have just provided them the IP address and which port we wanted up. Our initial configuration has been done by them.

View full review »
Head of ICT Infrastructure and Security at City of Harare

The initial configurations were straightforward, not complex at all. It took us just two days to finalize things.

View full review »
AK
Senior Information Security Analyst at a manufacturing company with 10,001+ employees

My advice to those wanting to implement the solution is to look at their use case and see if it meets those requirements for what they are looking for. There are a lot of security features that people may not be aware of and do not use. Explore the solution and all its features which will help you understand the configurations.

I rate Cisco ASA Firewall an eight out of ten.

View full review »
Network Administration Section Head at a financial services firm with 1,001-5,000 employees

It is a security device, and it is useful for securing our environment. It provides role-based access and other features and helps us in easily securing our environment.

It provides visibility. It has been helpful for packet inspection and logging activities for all kinds of packets, such as routing packets, denied packets, and permitted packets. All these activities are visible on Cisco ASA. There are different commands for logging and visibility.

We use Cisco ASA for the integration of the network. Our company is a financial company, and we are integrating different organizations and banks by using Cisco ASA. We are using role-based access. Any integration, any access, or any configuration is role-based. 

View full review »
Network Engineer at a energy/utilities company with 10,001+ employees

The configuration was kind of straightforward from the command line and also from the ASDM. It was very easy to manage by using their software in Java. 

High throughput, high concurrent connections, easy site-to-site VPN were also valuable. It also had the capability to do double network translations, which is really useful when you are integrating with other vendors for site-to-site VPN.

View full review »
WS
IT Consultant at Hostlink IT Solutions

We provide IT solutions. We provide solutions to our customers based on their requirements. We support them from the beginning and do the installation and configuration in the head office and front office.

We installed Cisco ASA to support a customer in a WAN environment. They used it for site-to-site VPN and remote VPN. They used it for accessing remote office locations via the remote VPN feature. They had Cisco ASA 5500.

View full review »
Network Engineer at LEPL Smart Logic

It is not straightforward. You should know what to do, and it needs to be done from the command line. So, you should know what to do and how to do it.

From what I remember, its deployment took a week or 10 days. When I was doing the deployment, that company was migrating from an old data center to a new one. We were doing configurations for the new data center. The main goal was that users shouldn't know, and they shouldn't lose connectivity to their old data center and the new one. So, it was a very complex case. That's why it took more time.

View full review »
Voice and data infrastructure specialist at a tech services company with 1,001-5,000 employees

I am very happy to use this type of Cisco equipment in my infrastructure. It has given us the most value is the management of dynamic routing, in this case, EIGRP. This protocol, together with a series of additional configurations, has helped us to maintain an automatic redundancy in all our infrastructure, keeping us with very high numbers of operability and without failures that take more than 1 minute or that have not been resolved automatically. With this solution, we only speak with our suppliers either for a link or equipment report, and even if the box or circuit is out of operation, the operation continues to work without problems.

View full review »
Fortinet FortiGate: Configuration
Director at a integrator with 11-50 employees

Good VPN, both IPSEC and SSL (web-mode, tunnel-mode). An engineer/network administrator has tools to debug VPN issues that can occur during tunnel setup with other vendors' equipment.

SD-WAN feature at no cost. This is really great feature for remote locations (branch offices) and HQ, application steering between many ISP links becomes a simple task. Steering can be done dynamically by measuring link quality (latency, jitter, packet loss, available bandwidth).

Wi-Fi and Switch controller at no cost. FortiSwitch and FortiAP can become a kind of port extender of the firewall, all its ports can be referenced in firewall policies. When you have such management plane consolidation it gives you a simpler way to operate.

Security Fabric Framework is helping in analyzing sudden and rapid changes in whole infrastructure, and gives the ability to simplify daily operations (e.g. address objects synchronization between all firewalls in Fabric, estimating overall security rating, single-sign-on for admin access and many more)

Single Sign On support with deep LDAP integration (several variants for environments with different scales), RADIUS authentication.

Can work as transparent and explicit web-proxy, the last option supports Kerberos authentication which requires no agents installed on any windows server.

Human readable firewall policies with editable security policies and
addresses in single page. This is very useful and time saving feature.

Firmware upgrade process is very simple, even for cluster configurations it is fully automated by default.

Straightforward SNAT and DNAT; you may work in two ways: with Central NAT rules configuration and by applying translation directly inside firewall policies.

Bulk CLI commands are uploaded via gui in script file (portions of config file).

VDOMs are very useful when you need to grant admin role to clients separately. VDOMs in FortiGate can be represented in FortiAnalyzer's ADOMs (administrative domain), which can have different log storage policies, event handling and alerting configurations. You can create one VDOM working in NAT/Route mode, and another VDOM working in Transparent mode.

If you don't want to create and use second VDOM you can still transparently inspect traffic at layer 2 level while having only one VDOM in NAT/Route mode. This is achived by configuring Virtual Wire Pair ports that work like a separate bridge.

Ability to capture packets going through any interface of device (and VM too). You can set number of packets, filter out packets by IP and port number for particular troubleshooting purposes, then download a .pcap file from web gui and analyze it in your favorite programm.

Advanced routing (RIP, OSPF, BGP, PBR). It gives you a seamless and simple integration into a large network.

IPS, AV, Web Filter, AppControl profiles are working very well.

SSL Inspection and CASI (Cloud Access Security Inspection) profiles.

Rich logging options allow you troubleshoot most problems.

Straightforward HA with different redundancy schemas.

IPv6 support.

View full review »
AN
System Administrator at a financial services firm with 5,001-10,000 employees

For me, this solution has nothing to improve and it meets the needs that I have. I don't see any way to improve, at least from my point of view on regular use.

In the next release, maybe the documentation on how to use this solution could be improved.

What I have noticed is that when we have done some configurations directly from the command line, there is not a lot of information regarding splitting.

View full review »
JC
Network Security Engineer at a performing arts with 201-500 employees

The commercial side of things can be improved a bit. They have such a good product, and when you disable some features, it has to be commercialized for you to enjoy those features. Therefore, you are actually buying half a product. You have hardware there, and yet, your features are not enabled. The primary things, such as the antivirus, web filter, DNS filter, application intrusion, file filter, and email filter come with the general license. There are other things that you want to also enjoy in this system and you can't. 

There are SD-WAN network monitoring, SD-WAN features, Industrial Databases, Internet of Things, Detection, etc., however, we do have not licenses for those features. We thought that if you bought a product, you should have all of the features it offers. Why should you need to make so many extra purchases to enable features? They should have one price for the entire offering. That's one of the drawbacks they could look at. 

Sometimes the firmware automatically updates itself. Then it corrupts the configuration and you have to roll back or you have to do amendments to the configurations. That, however, has happened only once with us. We have put in controls for automatic updates to stop them and now we do manual allowance or we allow the manual update.

Most of the features are good. They give you pricing and you get a VPN for about 10 users where you can test it. For us, we feel that we need to buy extra licenses due to COVID, as people are working from home. Under the current conditions, we are not getting the best out of the firewall. 

They could just maybe put better graphics or better reporting into the solution. I want to know who is the user and what is the exact website they're visiting. Something like that would help. They should do more like what the GFI is doing.

View full review »
IK
System Administrator at a computer software company with 501-1,000 employees

The most valuable feature is the ease of configuration.

View full review »
UB
Solution Architect at a tech services company with 51-200 employees

One of the things I like best is the ease of configuration.

Management-wise, it is very good.

The most important feature, normally for small business customers, is link load balancing.

The firewall throughput is very good. Most of the customers in this region use FortiGate for their data center firewalls, and the main reason is because of its high throughput.

View full review »
TK
CIO at a manufacturing company with 201-500 employees

I am working as a manager, and I am not doing any of the configurations.

We only require one person for the maintenance of this solution.

View full review »
Owner at Tech Exchange

The biggest "gotcha" is that if the client purchases what they call the UTM shared bundle, which has unified threat management on both, it's not as easy to manage if you have more than one firewall. 

If I wanted a unified console, I have to pay extra. And that's the downfall. That's the only needed improvement that I would say for the Fortinet solution, is that they should have it web-based from the get-go. You should not have to buy an extra bundle or an extra device.

If I have to make an update to a web filter, and I have 12 devices, I've got to do it in 12 places. If I don't want to do that the client can pay for a pretty expensive device or virtual appliance that does that for them. It's like an expensive centralized management tool. That's the big downfall of Fortinet. It doesn't come included, you have to pay for it. Their web-based one, that's sort of just like an inventory manager. It's not really good for distributing roles. With Cisco, you don't have to do anything. The one from Aruba HD has one too. Fortinet should try to be similar to those options.

In the next release, it would be amazing if they could give a better tool for upgrading, so that if I upgrade from an older version to the other, it can read the configuration and processes it for me so that I don't have to rewrite it from scratch. In FortiConverter, they have a tool like this, however, it doesn't work well. It's really more for bringing items in from other vendors, not from one version to the other.

That was my last experience where they operated from version five to six. However, that's really the only big thing. The main thing is to include the FortiManager cloud software like Cisco does. To have one solution. If you paid $150 a year for the support, you might as well get that too so I could manage all the devices at one spot. They do have FortiCloud, however, it's not the same as the way Cisco does it. They are selling another product called FortiManager. FortiManager should be included with the support, and that would make it more of a business solution, rather than a feature request.

View full review »
AJ
Telecommunications Engineer at a university with 1,001-5,000 employees

The most valuable features are the policies, filtering, and configuration.

View full review »
IT & PPN Coordinator at a manufacturing company

The solution overall is very easy to understand. Therefore, the initial setup is not complex. It's straightforward. Even the configurations are good. An organization shouldn't have too much trouble with it.

How long it takes to deploy depends on  what you want to configure on a firewall. It depends on the policies being implemented. That definitely takes time depending on the company and what is being done. If you are familiar with all features and all the steps regarding how to create a policy and how to implement a policy, it is pretty easy and won't take too long. 

View full review »
RJ
Firewall Engineer at a marketing services firm with 1-10 employees

The solution's initial setup is not complex. It's pretty straightforward. In my case, I have many years of expertise working with FortiGate and therefore it was not difficult. It's quite good and easy to manage.

How long it takes to deploy the solution, depends on what the customers ask you to do. More or less, however, it might take maybe one day to make the initial setup of the unit and the configuration that the customer requests. It may take another day or two to put it on service and check that everything is working properly, once again, based on the requirements of the customer.

View full review »
JS
Network Systems Engineer at a tech services company with 501-1,000 employees

The initial setup was not complex. It was pretty straightforward.

How long it takes to deploy the solution depends on the company and the configurations required. Sometimes I am able to do it in one day, whereas other times it takes more than one month to complete.

View full review »
MS
President at Sovereign Mange Services

The product has enterprise capabilities, which means there are a ton of configurations possible.  What I'd like to see in the product is more of a branch in the box wizard deployment for those that are not as well versed in firewall and routing.  For a small business, the firewall should be able to self-configure for a Unified Threat Management configuration with 2 SSIDs for protected wireless network for internal gear and a guest wireless network for employee cell phones and guests.  I'd like to open the box, plug in the router behind the cable modem, and check a few boxes, and the rest is done automatically.  I don't want to have to build a configure VLANs, SSIDs, security protocols for each port, and try to figure out and understand all the layers in an effort to deploy a solution.  It's great to have those capabilities in case you need them, but for most of the offices I am trying to deploy these into--it should be a branch in a box.

View full review »
IT Director at Guangdong Technion Institute of Technology

In terms of what could be improved, the FortiGate support could do some improvements on their IPv6 configuration. Right now it's still in the very early stage for utilizing in an enterprise level network environment

In terms of the FortiGate IPS, we haven't gotten additional tools because they are not free, and we have to purchase them to maximize this IPS feature. As long as they can perform some basic functions to meet our business needs, that is okay. I'm okay with this feature right now, so far.

In the next release of FortiGate the price could be better.

View full review »
IT Manager at KSB MIL Controls Limited

The solution is very, very easy to use.

The user interface is very nice.

The product seems to offer pretty good customization.

The configuration of the product has been very straightforward and simple.

The reporting on offer is quite good.

The initial setup is straightforward as well.

We've found the pricing to be pretty good.

Technical support from the partner has been very helpful.

View full review »
SP
Data Center Operations and Customer Support Manager at a tech services company with 51-200 employees

Since we have been using FortiGate there haven't been any major problems so far. Especially nothing too serious like a major bug or anything like that.

The only issues that we have come across have had to do with simple configuration errors like missing configuration values from a previous implementation.

View full review »
IT Manager at Hadef & Partners

What I like the most is the configuration and that it's simple, and straightforward to maintain.

The UTM configuration on-premises is straightforward and simple to use.

Support is good and the interface is simple and intuitive.

View full review »
Director Of Technology at PT Exa Teknologi Indonesia

In terms of what could be improved, the SD-WAN is quite difficult, because if you install in the new box, 15 is okay, but if you change from an old configuration, if there is already a configuration and a policy when you change to SD-WAN, you must change the whole policy that you see in the interface.

View full review »
JT
CEO/CTO with 201-500 employees

We only use Fortinet's FortiGate for our hardware firewall protection.

However, if our clients need extra security, we may add other brands and security layers. We also work with SonicWall, Checkpoint, and Barracuda, for example.

I've also worked with pfSense, which is free, however, it has much more of a do-it-yourself approach. It's also quite different from other solutions. If you have Cisco experience, you'll be able to navigate Fortinet, whereas pfSense requires much more in-depth study. It has its own language, basically. That's one of the reasons you won't find too many of its configurations in China.

View full review »
PH
President at Integral Design Software

The initial setup and configuration are not intuitive and require training.

View full review »
Security Engineer at Hitachi Systems, Ltd.

The management console is pretty simple, so anyone who understands networking can initially deploy the solution. But you need some good hands-on experience for advanced configuration. The amount of time required to deploy depends upon the project and also the organization. So it takes around four to five days to deploy a smaller device. And for the largest device, it takes around a maximum of two months. We do the deployment on our own. So we have a sales team, a pre-sales team, and a deployment team. Our sales team gets this and handles the sales end. After that, we come into the picture. So we do the whole migration, as well as the new implementation and everything. It should take no more than two people to deploy. If we want to migrate from one Fortinet device to another, then we use the command line. They have some script in their firmware, and we can migrate the script directly from the older firewall to the new one. So it isn't too complex.

View full review »
Barracuda CloudGen Firewall: Configuration
Senior Network Engineer at a tech vendor with 11-50 employees

The interface should be more user-friendly and it should be easier to configure. Its configuration are divided per module/service. You will have Firewall service, VPN module and others service. Each services are under 1 server tree. You have to configure at different tabs to make it functions which I found easy to get confused. There are no wizard for guided configuration. You have to depend on their manual at barrcuda campus. Fortunately the manual is quite comprehensive.

The inclusion of a load-balancing capability in the future would be helpful.

View full review »
pfSense: Configuration
RN
Solutions Architect at a tech services company with 51-200 employees

The scalability is very good, where you can do an HA configuration and then bring in another box, if necessary. We have ten users in the organization.

We get very little usage and have no plans to increase it.

View full review »
CEO and Founder at Indicrypt Systems

This solution is absolutely stable. With some systems there's a necessity to regularly redo the configurations inside the system. With Pfsense that's not the case. I have no issues with it at all. 

View full review »
MB
IT Support Specialist with 51-200 employees

The initial setup has a bit of a learning curve. It's not complex per se. It just takes some getting used to. After the initial deployment, the other six or seven were easy. I could just copy the configuration of the other ones, change some IP addresses, and I was basically done.

View full review »
Consultant and Head of Services at ILANZ LLC

Well, its opensource... So for the tech-minded, its not so difficult but yes, the configuration is understandable for those with good prior firewall knowledge... 

If you can get it working, its great... But yes, thats the first part... Get it working... 

Oncw working, all licenses etc are not a problem as it is opensource... So no restrictions there... so far...

View full review »
Solution Architect, Managed Services & System Integration at Transmeet Technologies

The interface is not very shiny and attractive. Most of the people that use pfSense are highly skilled, so they don't even bother to go the extra mile when it comes to configuration or any protection mechanisms. With other firewalls, with just one click or with the assistance of a wizard, the service is already configured. With pfSense, you have to have some time to do your own research regarding how to fine-tune it. If that could be improved, then life would be much easier. This would help any entry-level users to adapt to the platform. 

Netgate, the mother organization that manages the pfSense platform, should offer organized security feeds for its users so that they can avoid configuring multiple types of feeds in multiple locations. That could generate extra revenue for the company, too.

View full review »
MA
CEO at a tech services company with 1-10 employees

The VPN is my favorite feature. pfSense is very easy to use. The interface and configuration capabilities are great.

View full review »
PG
Software Applications Manager at a engineering company with 201-500 employees

I've tried to scale the solution previously. I've got two hardware platforms running. I wasn't quite able to run everything I wanted on a small ARM based device. Therefore,  I build my own Super-micro platform based on Intel Denverton.

It's actually easy to scale. It's just moving over most of the configuration: exporting, importing, or even going right into the original XML export file.

There are six users, 3 dozen of devices and a homelab server with VM running behind the solution at this time.

View full review »
CA
Owner and business consultant at networks srl

The initial setup is straightforward. It took me about ten to 15 minutes to install it and maybe half an hour for configuration.

View full review »
Computer service technician at a manufacturing company with 1-10 employees

The configuration of the solution is a bit difficult.

View full review »
IT Manager at a marketing services firm with 1,001-5,000 employees

The initial setup is very simple and the configuration is user-friendly. It took me one day for the whole process.

View full review »
LB
Owner at The Computer Guy

Sometimes firewalls can get a little complicated. I think some of the things about the setup could be a little bit clearer. Maybe something like a configuration wizard or something that would guide you on more in-depth projects.

I'm running pfSense on old hardware, it takes all of 10 minutes to install.

View full review »
SonicWall TZ: Configuration
BT
Virtual CIO/ CISO at Kyber Security

Once you get past all the configuration issues, If you are on a rock-solid GA (Generally Available firmware), I don't know if I want to say it's bulletproof, however, the stability is really, really good. I don't sit and worry, thinking, "Oh, God. We know another one's going to fail today." We never think that way about that type of stuff. It's the odd time where we might get hardware failures or random reboots. We've had a couple of SMA units go sideways. Even SonicWall couldn't solve the problem. However, that said, it's rare.

View full review »
GM
IT Infra Head at a consumer goods company with 1,001-5,000 employees

It's a good product, but it's not a next-generation firewall. We are looking for a next-generation firewall and considering Cisco.

We require centralized monitoring of the network features, which they have but they are not to the level that we require.

The reporting is not good. Also, the historical configuration of the data or backup is not available.

To compete in the market, there have to be a lot of improvements.

We do not plan to continue using SonicWall TZ. We are looking for a replacement because we need centralized monitoring across the organization. It has been very difficult for us to manage the firewall as it is not managed centrally. This is the main drawback in our current scenario.

In the next release, I would like to see better scalability, easier installation, improved reporting, storage configuration, backup, and centralized management with reporting.

View full review »
ON
Diretor Comercial at a retailer with 1-10 employees

Its initial setup is simple. The duration depends on the number of users and configuration, but it usually takes around 12 hours. We have three or four people for its deployment.

View full review »
Director at FOXMINDS Solutions LLC

I would recommend this solution because it is easy to use and the configuration is simple.

I rate SonicWall TZ an eight out of ten.

View full review »
Senior Systems Analyst at a construction company with 1,001-5,000 employees

The solution is stable. We're an MSP, so if our clients have any dated hardware, we'll make a plan to switch to SonicWall, otherwise there can be issues with the internet or configuration where we can't get in and troubleshoot. We need to know we can get into the firewalls and make sure that they're online, as opposed to having to schedule someone to come in and deal with the basic physical connections or troubleshoot.

View full review »
Business cybersecurity Specialist at Forlopd

Their scalability is wonderful. SonicWall has a migration table and it's easy to migrate the configuration of a small model to medium or all types. It's really easy. No problem. I have done this a few times and each time was perfect.

We have almost 100 users.

One person is enough for doing maintenance on SonicWall.

We do have plans to increase usage to more or less 10 or 20% more users next year.

View full review »
SonicWall NSa: Configuration
AM
Manager with 51-200 employees

While there are a lot of options on the market, we only use SonicWall at this time. We have used Sophos in the past previously. We found that Sophos Firewall had more flexibility compared to SonicWall, especially in the configuration capabilities.

View full review »
Senior Systems Administrator at a manufacturing company with 51-200 employees

At this office, the firewall was already configured when I started working here, so I only needed to make some adjustments. We have another office that we acquired recently, and I implemented the firewall there. The configuration was pretty straightforward. The graphical interface is very intuitive and that helps. 

View full review »
PB
IT Security Analyst at a outsourcing company with 51-200 employees

I used to work on SonicWall regularly. Now, I am working as an IT analyst and my job is to check the SonicWall configuration and test it. For example, I have to check the policy and then audit which ports are open.

View full review »
Technical Lead at 64Network Security

The initial setup is definitely user-friendly, it's easy.

It only takes an hour to deploy, which includes the configuration.

View full review »
AA
Director of IT at a consultancy with 11-50 employees

The initial setup isn't too complex. My understanding is that it's straightforward. I didn't set it up myself, however, it's got configuration wizards to walk a user through. This no doubt is quite helpful and makes it pretty simple in terms of implementation.

View full review »
Network Security Engineer at Next Step

We are integrators, but for SonicWall, we use it for a specific project in industrial cybersecurity. It was for ransomware recovery and network restoration.

We did the firewall and the configuration for the ransomware prevention.

Our clients were using it to control the SCADA System in their industry.

View full review »
MV
Network Administrator at a healthcare company with 201-500 employees

It's not as easy to use, as, for example, Palo Alto.

Some of the configurations could be better.

View full review »
IC
ICT Consultant at a tech services company with 11-50 employees

I like the solution's configuration, interfaces, and user guides.

View full review »
NH
IT Manager at a insurance company with 51-200 employees

The installation is not easy, you should have a basic understanding of your network and what your requirements are. Generally, the implementation is done by the vendor. We have an external party who used to do the basic configuration. However, the new generation firewalls do not take much time and are easier.

View full review »
SA
Manager of IT at a healthcare company with 10,001+ employees

I didn't use support over the last nine years, except for handling the device replacement itself. I needed a device replacement due to some damage, and they fulfilled my request and requirements. In terms of tasks such as configuration issues, I've never actually asked for assistance for those queries and therefore could not rate how helpful or responsive they are when they cover those matters. 

View full review »
Cyber Security at a tech services company with 1-10 employees

I am a technical engineer, I have complete knowledge of SonicWall. I can do all of the configurations for the firewall. We are a service-based company and I handle the different solutions. If they need any requirement or they any action on the firewall then I can do that myself. 

The only thing that needs improvement is the VPN because we need to pay to connect the points.

View full review »
Sophos XG: Configuration
KS
Manager IT at a retailer with 201-500 employees

The initial setup and configuration are not difficult for somebody with firewall experience. However, for somebody who has not worked on one in the past, it will be complicated.

View full review »
Director, Middle East, East India & SAARC at a tech company with 51-200 employees

The initial setup was simple. Within one to two hours, we were done. This was not just the installation, but the complete configuration.

View full review »
SB
Network Team Lead at a manufacturing company with 5,001-10,000 employees

The initial setup is straightforward. It is a single day task to do the initial configuration and move the traffic over there. The firewall hardening, of course, will take some time depending upon the traffic, but the initial setup is a single day task.

View full review »
CTO at Kingsway Hospitals

The initial setup was a little complex because of the kind of configuration that we were looking at, the way the firewall had to be configured was slightly complex. We carried out the implementation ourselves and it took a maximum two days. 

View full review »
Senior IT Consultant - Sophos Architect at ARENTIA S.A.

The web application firewall or WAF is very useful. Web application firewalls help keep your servers safe from hackers by scanning activity and identifying probes and attacks.
Using the Web Application Firewall (WAF), also known as reverse proxy, Sophos
UTM lets you protect your webservers from attacks and malicious
behavior like cross-site scripting (XSS), SQL injection, directory
traversal, and other potent attacks against your servers.
You can define external addresses (virtual webservers) which should be
translated into the "real" machines in place of using the DNAT rule(s).
From there, servers can be protected using a variety of patterns and
detection methods.

This function has been completely re-developed in XG, relatively of the UTM-9 version, and it works fine. I protect many internet web servers (IIS) for my customers with this function, due to of a lot of attempted attacks. It's a very useful and relatively simple to implement in Sophos XG.

Obviously, like all security systems, it is not a "fire and forget" configuration. It is necessary to properly analyze the system to be protected, create an appropriate policy and monitor its behavior once activated.

https://support.sophos.com/sup...

View full review »
WG
Network Security Administrator at a comms service provider with 501-1,000 employees

The initial setup was straightforward. It took us less than 30 minutes. Normally, it depends on the size of your organization, so for mine, the installation was less than 15 minutes. By 30 minutes I was finished even with the setup and configuration.

View full review »
MS
Information Technology Security Officer at a government with 201-500 employees

It is not a very scalable product. I would rate the scalability a seven out of ten because where you order it, it comes with prefixed ports. You will only have perhaps two for the WAN, and then maybe four LAN ports, and one console. In this regard, it's not scalable. 

When you buy it, you can't change the port configuration. In order to get more ports, you may have to upgrade to a bigger firewall.

We have about 130 accounts for approximately 80 employees.

View full review »
KN
Service Delivery Engineer - Network Security Lead at a tech services company with 51-200 employees

The most valuable feature is the Intercept X. It is the advanced features that are used for malware detection and antivirus. It's similar to antivirus on steroids.

It's simple to use and has a simple interface. It's generally straightforward and configuration-wise, it's not complex. 

It's a very simple product to use and that's why you find it is used mostly in small to medium-sized enterprises. They don't have the manpower that a large organization can have, in terms of the skilled workforce when it comes to cybersecurity. They just need something that is simple to use, simple to manage, and simple to administer, but effective at the same time. That's the main selling point for Sophos.

View full review »
FA
Systems Administrator Team Leader at a retailer with 1,001-5,000 employees

The initial setup is carried out on the portal so you need to work on the configuration with the respective partner and have the portal accessing all of the environment. It's a simple setup. We have deployed this solution on around 200 machines.

View full review »
User at supernovatel

The initial setup and configuration was very easy for us. I think it's easier than the other options in the marketplace. The deployment time is relative. For example, if you're deploying for a client who has another firewall and have to integrate it, it'll take around two or three days. But if it's a new environment, you can deploy the firewall within two hours.

View full review »
DM
ICT Manager at a hospitality company with 1,001-5,000 employees

We find it easy to use. Its internal configuration is very easy. It is not complicated in terms of use and configuration.

It has been fairly stable, and it is also scalable.

View full review »
Owner at Dinamica en Microsistemas de Informatica, S.A. de C.V.

The initial setup is not complex. However, here in Mexico, it's very complex to sell the product. The brand is not as well known.

That said, the process is pretty straightforward. 

The deployment times vary. It depends on the end-user and what they need. Sometimes, it's easy as they don't have too many policies. The more policies they have, the longer it takes.

In other cases, clients may have a lot of VPNs. We have to work on those VPNs, and we have to do a lot of routing. However, that depends on the customer. Not all are like that.

For one appliance, you just need one person for deployment and maintenance. If we are working a lot of VPNs, we would have to use more people. We need to involve maybe two or three individuals and re-apply the configuration in that case. 

View full review »
Head of Cybersecurity at mundo credito

I am using the Azure Active Directory in my company and it was complicated to integrate this solution with Azure. I had to use an internal VPN and had to do many configurations to get it operating. This process should be easier to implement.

View full review »
CEO at MARVIV SRLS

The initial setup is not so complicated. The system is not complicated to understand and also in can be installed without a very high level of expertise. Of course, if you have this kind of expertise, you can obtain from the system the maximum performance that the system can do, however, it means that you are not obliged to be a guru to be able to use these kinds of products. You can use these kinds of products just as an IT manager inside the company without having or needing special knowledge. 

Otherwise, you can leave to Sophos with the capability of doing something like a close box. You are sure that Sophos is able to guarantee the level of security that you are expecting. You can have it be automatic, or you can choose to go more manual in its operations. For example, if you were a professional photographer, you'd probably like a manual experience, as it would allow you more leeway with your craft, and if you were an amateur, you 'ld likely prefer an automatic camera that handles the heavy lifting for you. Sophos, in that sense, is the same. If you want, you can configure single parameters, or you can leave it to Sophos to give you something out-of-the-box.

In any case, if you stay on the automatic configuration, you are guaranteed that the system can provide the correct level of service that you want. It means that it's not required to have an expert. That said, you need of course to have a minimum level of knowledge, as it's clear that you need to know what you are managing. Starting from that, you can obtain what you need without moving into an advanced configuration.

Typically, a configuration takes about half a day or so, if you go that route. It doesn't take long, as those who would handle it would know what they are doing.

View full review »
MA
Head of Network Department at a financial services firm with 1,001-5,000 employees

The GUI and support could be better. I think there are other products that we are going to deploy instead of Sophos. We have already upgraded a month ago because the interfaces and support for Sophos are really weak. But other products like Juniper, Cisco, or FortiGate are better than Sophos. It's also complicated, and the end-user or client does not understand it.

The interfaces and the GUI design are not easy, and when you do something, unrelated things are in the same configuration site. There are different sites to visit to configure Sophos. This is even more than other products. Many features can be improved, especially the VPN and web filtering features.

View full review »
JN
Senior Engineer at a engineering company with 11-50 employees

I would advise others to go through the Sophos demos. They are very good, and they walk you through configuration and use cases. Their online documentation is very helpful in not only configuring it but also selecting a proper model to deploy.

I would rate Sophos XG an eight out of ten for ease of use and cost.

View full review »
SK
Senior Consultant at Wavednet Group

The installation is very easy for anyone. The configuration is straightforward, all the information is available through a quick Google search.

View full review »
PB
IT Manager for Network and Security at a religious institution with 51-200 employees

I've worked with Sophos previously and we had a different setup. In terms of implementation, sometimes there are complex setups and sometimes the setup s are more basic. Right now, we have a complex setup. We need to ensure interconnectivity between our branches. We'll have different networks, different sites, and a lot of complexity. 

It doesn't really take too long to deploy, however. The support from the supplier is good. They're always available to assist. They are well-trained and they are already familiar with the setups and configuration so they're doing a pretty good job in terms of helping us.

View full review »
IT Manager at a hospitality company with 51-200 employees

In the past, I have worked with SonicWall and Fortinet products.

I prefer Sophos because of the user-friendly configuration and stability.

View full review »
IT Manager at k sera sera

The initial setup is quite easy. it's not overly complex. The configuration process is also very simple.

We have a team within our organization that can handle any maintenance that is required.

View full review »
Operations Manager at VL Toolbox Express Computer Solutions

The solution is scalable, but an organization should assess in advance its size based needs. Say, for example, a company utilizes the XG 125 version, but grows rapidly. At this point it may need to switch to the 210 version. Yet, switching from one version to another would not really present an issue. One can restore the backup configuration version on the new hardware and be up and running. 

View full review »
IT Technician at Zimbabwe School of MInes

There have been some issues when upgrading. For some reason, parts of the configuration become unconfigured, I then have to reconfigure it. I should not need to keep reconfiguring it after upgrades.

View full review »
NS
Sr Information technology consultant at onkar international pvt ltd

There's no additional cost for installation. The provider from which we purchased, the vendor, himself arranged all installation and configuration. They helped us. However, even through customer care, a company can ask for assistance. 

View full review »
AM
Creative Head/Director at a marketing services firm with 1-10 employees

I am the technical person. Installation can be handled independently. We do the configuration of the firewall. 

We have two teams that are responsible for the deployment, a firewall and a network one. We can handle the implementation using both teams. 

View full review »
MI
Sr. Network Administrator at a manufacturing company with 201-500 employees

We migrated from Cyberoam. The migration went very well.

The migration process did not require a lot of configuration.

It took a few days to complete the migration and the testing.

This solution is being managed by myself and a colleague. We are a team of two.

View full review »
KV
IT support officer at a wholesaler/distributor with 51-200 employees

I contacted the external partner, and the setup was easy. It took about two or three days. Some little pictures were difficult for us to find, but that's normal. We could not make a one-to-one copy of the older one, so we had to search for some little personal configurations here. Now that everything is configured right, we are happy to have it. 

View full review »
NP
Network & System Support Engineer at a tech services company with 11-50 employees

When it comes to the firewall, everything hinges on the configuration. Every firewall is good, but one can see the importance of the configuration in the firewalls of Sophos and SonicWall. This is the most important thing, since users occcasionally disable the app control, IPS or anti-spyware features. They do this out of a lack of familiarity with the security, something which allows attacks to occur. Therefore, the configuration is key. I configure every firewall I employ, be it Sophos, SonicWall or Fortinet. 

I have not encountered any issues when it comes to the configuration

View full review »
PB
Tech Doctor at a recruiting/HR firm with 11-50 employees

Compared to other firewalls that I had looked at, I thought Sophos was the better solution. It just seems to be easier to manage versus Cisco, Fortinet, or one of the other options I was looking at.

I'm not going to say that it's easy to configure, but I can understand how to configure it. There is a certain amount of support available to do the configurations. 

View full review »
Kerio Control: Configuration
VP Engineering & Admin at E3 Systems

The interface control manager where we can allocate LAN connections to certain VLANs is the most valuable feature. The other feature that's important for us is because everything is remote with MyKerio, as long as the boat has an internet connection, we can log onto the Kerio and get statistics, as well as provide support.

It's important because unlike a company where a company has an IT person on-site because these are yachts, they have a boat crew that is not necessarily "IT," so they rely upon us to provide them with their IT services. This is a platform that allows us to control and troubleshoot as necessary.

I would say about 95% to 97% of all of our support is managed remotely because of the nature of superyachts, where they're located, and the importance of the people that own them.

I have not run into any issues or complaints with regard to the firewall and intrusion detection features. I find that in this industry, the fact that those are services that are included is important. But I can't speak to the operability of it.

Because I interface the most with the boats and the crews, I've never run into an issue with the comprehensiveness of the security features.

In terms of the ease of use, if you took 15 different network professionals and told them to configure a Kerio Control, you would get 15 different configurations. Having said that, within our specific business segment, we have learned the configuration that works best for us and works best for our customers. The way that we have set it up is to not put the onus on the boat to make any changes, but if they need to make any changes they allow us to go in there and make changes. 

From my experience, I don't necessarily do the configuration on them, but I do manage them. If there's a boat that has a problem, I'm the first phone call. Most of the time I can figure it out, but what we provide as a service is that we refer to it as a virtual ETO which is an electronics and technology officer. That would be an actual IT person, but for the most part, we just encourage our customers to defer their technical queries to us and allow us to manage it for them.

It has saved time for the members of our team who manage security based on how they're using it. It has saved time in the sense that they have an integrated security solution. I think the maritime industry is moving towards a standardized security initiative because the problem is that everything within the maritime industry is based on international, not national standards. So where and how the Kerio Control will fit into that is undetermined because the IMO, International Maritime Organization, has not yet determined what those standards are going to be. It's still a work in process.

It has a VPN back to our data center but I don't think it has increased the number of VPN clients extended to those outside our environment

View full review »
Owner at Fr@nkonnections

I use it as a service for my customers. My primary target is to help my customers in the best way to protect them from the dangerous things from the Internet. As a solution, it's easy to maintain. The product is a good solver that also depends on good support and its availability of engineers.

I am using the latest version of Kerio Control. It is an old type of configuration with VPN connections. I still like the product very much.

It is mostly installed on the Linux software appliance. That's what I mostly use for my customers.

View full review »
MS
Freelance IT Specialist at a computer software company with 501-1,000 employees

I am self-employed, so I work with other companies that usually do the installation of the hardware and I come in at the end to just make sure everything's all configured correctly and set up properly for Kerio configuration.

View full review »
IT Manager at Flare Technologies

The setup is straight out-of-the-box. Take it out of the box, run through the wizard, configure it with the settings that you should already know, and then it works and you get in online. That's the basic setup, because the Traffic Rules, by default, allow everything out and stop everything coming in. That's enough to just get online.

You then go to start defining your networks and your traffic rules. Putting multiple VLANs in there is easy. Even as it gets to be a more complex configuration, it's easy to do.

Sometimes it's time-consuming if it's a large configuration, but that's just what it is. It takes time to click boxes if it's a large network with lots of different scenarios, and to type in all the IP addresses.

But it's easy out-of-the-box for a basic configuration and still fairly easy if you've got that knowledge of the Kerio and networking. Just a little time-consuming. If there were some kind of import or bulk add, that would be nice, but that's on a wish list. It's really not that necessary.

If a customer just wants something out-of-the-box, we plug it in, make it work, and it probably takes a couple of hours, at the most. If it's a bit more complex, it might take a day. It might take longer if you don't know what you're doing.

I've always told customers that there is no fixed configuration. This thing will work and do what you want it to do. As time progresses, it evolves with the changing requirements. So we can give them a solution. They can give us some key config points telling us "Okay, we want this many networks and we want these users, and these particular rules," etc. We configure all that  in a day and test it the next day. After that, it's ongoing. They might decide, "Oh, we actually want to change the bandwidth allocation," or "We've got a new internet interface," or we want to block Facebook at a specific time. It's ongoing.

View full review »
GR
ICT Consultant at D-R Consulting Pty Ltd

It's a combination of authentication, internal network DNS, filtering, and antivirus. It is a standalone product which has a lot of the features that a Windows domain might have. However, I don't need to have a whole lot of Windows or Mac infrastructure, as I can do all my network management from Kerio.

One very good thing about the Kerio device is its authentication. I don't have a Windows domain for authentication. Instead, I use the Kerio product because it can separate users by Mac addresses and give them IP addresses based on their usernames, automatically logging them in. This makes for a very simple authentication system.

The solution’s firewall and intrusion detection features are pretty good. I have, at different times, connected directly to the Internet in bridge modes with the modem, and the noise in the logs is phenomenal. So, it does a good job. I can see that the intrusion prevention catches everything that is coming at it. I tend to not use it in that mode. I have it connect to a port on my modem router, so I let the modem router take all the initial intrusion noise, then not much gets through to Kerio. That just gives me a lot of confidence that I have a secure network.

For the content filter, I am pretty much running their default. I haven't added any rules to that myself. The default does a pretty good job at picking up things. I might have whitelisted one or two things that I use which it tends to pick up, but I know they are okay.

Kerio Control gives us everything we need in one product. 

The feature that I'm relying on: If the appliance died and I had to get another one, Kerio has a configuration backup. Therefore, it's pretty easy to restore to a new appliance.

View full review »
Solutions Architect at Clockwork Solutions

Its primary job is to protect us and give us a degree of comfort. We're putting a lot of effort into creating a financial trading system. We want some comfort that it's secure behind the quality firewall and that's really what beckoned its purchase. The fact that we've not had any issue indicates that it must be doing that job reasonably well, and the fact that we don't get any of those attempted attacks from the block in China, because of geo-blocking, is probably the strongest feature for us. I wouldn't say it improves what we do because it doesn't affect what we do. It's really just security.  It's a tool to improve our security profile for what we do.

We don't expose our remote desktop connected servers to the internet anymore. But when we did have that, because the security log is a really easy thing to set up, it would show you all the attempted, brute force attacks. That's now down to zero. We don't get any brute force attacks, but at the same time, we don't expose the Port 3389 out to the internet. We could achieve the same result with a domestic firewall in a domestic router. However, this gives us a degree of comfort that we can actually analyze any traffic that looks a bit suspicious, inbound, or outbound. That's a definite step change compared to what we'd have in an out-of-the-box type of router.

Security is there to slow things down and make things a bit tricky. That's its bottom line. If security is easy, it's probably being done wrong.

Certainly in the first few months of using it, it was quite time-consuming to get a configuration working that was reliable. Because I work from home, I originally had it protecting everything coming in and out of the home which didn't work well at all. It's protecting the home office and the server environment. Everything else just goes straight out of the domestic router out to the internet because we've got IPTV, with kids on devices. They don't need such a high level of protection. It would be nice to give them that because if you've got this perimeter that's protected by a really good quality product, you want to protect everything.  But when we tried that, it seemed to struggle with the high volume of traffic that was being generated by the IP cameras, the IPTV service, and the myriad of devices and iPads that we have in the house. So we stopped using it for that purpose.

View full review »
IT & Installations Manager at Odyssey Gaming

We turned on two-factor authentication just after the shutdown when we knew we were going to get more users using it. That was the only feature that I've used recently that was different and it worked fine. You only have to authenticate once every 30 days, once you've fully authenticated. It was easy. Technically, it's not a full implementation. It's two-factor on every login, but it's certainly more secure than it was.

In terms of the comprehensiveness of the security features, I know that we haven't had any breaches before. We've had security issues before but it hasn't been with the data center implementation. We have a technology partner that we use to consult for configuration and Kerio was their number one recommendation at the time. We've never had an issue since implementing that. While it works, it's not an issue for me. Best to our knowledge, we haven't had any data breaches.

We do a lot of audits in terms of data security. I don't know if that's ever been an issue here because a lot of our production stuff is actually walled off from our corporate network so it's of lesser risk factor. We were regulatory. We're a licensed regulatory body as well. We monitor gaming machines throughout the state. A lot of our security and the production network is a lot higher than our corporate. Not that corporate's not high, but there are a lot more freedoms for the user under the corporate network umbrella anyway. But it does what it needs to do. We haven't had an issue with it. The most we've had to do when we've had an issue is upgrade the VPN Client's software.

Before using Kerio, with another software, we did experience security breaches. Not so much with a firewalling product. We've had issues with breaches of user breaches. So phishing attempts and so forth. Just the general user stuff, but not through the corporate firewall. And honestly, we didn't handle all of that previously. We only took that on board about six or seven years ago when we changed ownership. So a lot of our services are in the cloud these days as well. Office 365 and so forth.

In a roundabout way, its security features played a role in our decision to go with it. We rely on the advice of our consultant and the consultant recommended this configuration, this software, and this appliance. So, it was more about the appliance. It was more about the flexibility than what we needed to do in a data center environment as well, to be able to manage it remotely and securely. It's been very easy to manage. 

The consultant was TechPath. TechPath is very good. I have full faith in TechPath. They're an MSP and we've just used them as a consultant when we initially set up our wide area networks and the security around it. They have good guys there. We don't have a lot of network engineers in what we do. That's their job. That's why we use another consultant.

Because it's all ID integrated, it's very easy for a user to get online step by step. And in terms of the actual configuration of the firewall itself, it's an intuitive interface if you know what you're doing, in terms of logging traffic, spanning, and the rest of it. The logging is fine. 

Remote work has been increased by 100%. We would have had around 25 - 30 remote users. That's probably increased to 60 over the shutdown, including contact center staff. That'll scale back a little bit as people come back into the office, but overall, people don't stay connected during office hours, it's more of an as-needed basis. We still only have 10 to 15 concurrent users, but in terms of licensing, we have under five concurrent users at any one time before that. There was an increase, but it was not a resource-hungry increase. We said to make sure the licenses were sourced in advance.

View full review »
EMP Specialist at Global EPM BV

GFI's technical support is way too slow in terms of response times. Their knowledge is okay. They should know their products. Even though they bought Kerio, they were able to update the software with their developers and build some new routines in it.

But regarding the support, if I send out a solution or a request today, it's taking too long to get a proper answer. You should have an answer the same day, at least, and if possible a quick response via email. That would be preferable in our cases. I know that is not always possible. And that's for software issues. 

But if you have a hardware issue it's even worse because we are not able to get hardware maintenance on the firewalls. Ideally, within two hours of going down, a mechanic would come with a new firewall to replace it and to restore your saved configuration from the cloud. They don't have that. If a hardware issue arises with a firewall, then it takes at least a week, maybe a week-and-a-half, to get a new firewall sent by GFI. That's really not acceptable. If we have a hardware issue and we order something from some companies here in The Netherlands, we have it the next day. That would be acceptable.

We deal with that by having a spare NG500 lying around that we can use. We've never used it, so it's already three years old, doing nothing. But it's there.

View full review »
Account Manager (Technical) at Redfortress Ltd

We hired a guy to do the initial set up for us. I think he was a Kerio reseller and we used him for consultancy before it started and then he actually did the work on the Kerio as well, and the network in general.

Our experience with him was excellent. We've used him a couple of times since. He's brilliant. His knowledge of everything is incredible. We tried to do it all ourselves at first, but he came in and knew exactly what the problems were. Something that had taken us about four days, he did in five minutes. He's just incredibly knowledgeable about everything to do with networks: Cisco, Kerio, everything.

I've set up another one since, for the same company. I just copied the configuration file of the one and put it straight onto the other. They're in separate buildings, but they wanted them exactly the same so it was really easy.

That deployment took an hour, but it was because we already had one set up.

As for deployment and maintenance of these solutions we generally need just one person: me.

View full review »
MM
Senior Systems Tech/Admin at a computer software company with 1-10 employees

The solution is scalable. If you are using virtualized machines you can have as much memory and much storage, but you do not need much storage for this solution. It is powerful and fast, although it can slow down the internet because of the filtering. For example, if you have most of your services running, such as antivirus, content filtering, and intrusion prevention. When all of those are all enabled and there is a lot of configuration and it might slow down your internet service to about 70%, instead of a direct simple router.

View full review »
Cisco Firepower NGFW Firewall: Configuration
Technical Consulting Manager at a consultancy with 10,001+ employees

Compared to many years ago, the configuration is much more simplified. It is still not one button to get it all done. It's not easy enough. It hasn't reached the level where a junior staff member can get the job done. 

For my enterprise environment, the deployment goes wave by wave. It can take six to eight weeks. We do a rolling upgrade. It's not something that can be done in one action because the network is so huge and complex. 

We have a uniform implementation strategy. We have a standard upgrading proceeding. We do testing and verify and then we put it into production.  

View full review »
CISO / Associate Vice President - IT Infrastructure at a pharma/biotech company with 501-1,000 employees

The initial setup was complex. We engaged NTT Dimension Data as there were a couple things that needed to be done for our requirements and validation. This took time to get signed off on by quality team. However, the configuration/implementation of the system did not take much time. It was a vanilla implementation.

We did face performance issues with the console during implementation. The console was hacked and we needed to reinstall the console in the virtual environment. 

View full review »
Lead Network Security Engineer at TechnoCore LTD

My primary use case with Cisco Firepower NGFW is implementing, configuring, maintaining, and troubleshooting lab and customer devices in both lab and production environments.

Using best practices for configuration, as well as fine-tuning intrusion policies and utilizing as many of the features that the firewall has to offer, which are feasible in said environment.

Overall, I am confident to say that I have worked with every flavor of Cisco Firepower NGFW, be it their older IPS-only sensors, ASA with Firepower services, as well as the FTD sensor itself.

View full review »
Chief Technology Officer at Future Point Technologies

There needs to be an improvement in the time it takes to deploy the configurations. It normally takes two to four minutes and they need to reduce this. The deployment for any configuration should be minimal. It's possibly improved on the very latest version. 

An additional feature I would like to have in Firepower would be for them to give us the data from the firewall - Cisco is probably working on that. 

View full review »
Solution Architect at a tech services company with 11-50 employees

The initial setup is easy, with the installation and configuration taking about two hours.

View full review »
Security Consultant at IKUSI

The solution offers very easy configurations.

The administration of the solution is very good.

The product integrates well with other products.

View full review »
AF
Systems Engineer at a tech services company with 11-50 employees

First you have to configure the Firepower Device Manager, or Firepower Management Center. When you bootstrap it or do the initial config, you type in the IP address, host name, and DNS. When you have the IP configuration in place, you can log in to the Firepower Management Center and start building policies that suit your needs. When you have all the policies, you can add or join Firepower devices to the Firepower Management Center. After adding the devices to the Firepower Management Center, you can then apply the policies that you built in the first place, through the devices, and that will affect the behavior on the devices.

View full review »
Networking Specialist at a healthcare company with 1,001-5,000 employees

The configuration in Firepower Management Center is very slow. Deployment takes two to three minutes. You spend a lot of time on modifications. Whereas, in FortiGate, you press a button, and it takes one second.

Three years ago, the Firepower Management Center was very slow. The solution has improved a lot in the last couple of years. It is now faster. I hope that continues to improve. 

View full review »
MK
IT Administrator / Security Analyst at a healthcare company with 11-50 employees

The big three solutions, Cisco, Fortinet, and Palo Alto, are all really good but I tend to lean on Cisco versus the others because one of their strengths, in general, is threat intelligence. When you put a bunch of security people in a room then you have a lot of consensuses, but like anything, you'll have a lot of disagreements, too.

Each of these products has its strengths and weaknesses. However, when you factor in AnyConnect, which most people will agree is state-of-the-art from a security standpoint in terms of VPN technology, especially when it's integrated with Umbrella, it plays into the firewall. But, it always comes back to configuration. Often, when you read about somebody having an attack, it's probably because they didn't set things up properly.

If you're a mom-and-pop shop, maybe you can get by with a pfSense or something like that, which I have in my house. But again, if you're in a regulated environment, you're looking at not just a firewall, you're looking at all sorts of things. The reality is, security is complicated.

View full review »
Cyber Security Practice Lead at Eazi Security

One of the nice things about Firepower is that you can set it to discover the environment. If that is happening, then Firepower is learning about every device, software operating system, and application running inside or across your environment. Then, you can leverage the discovery intelligence to get Firepower to select the most appropriate intrusion prevention rules to use for your environment rather than picking one of the base policies that might have 50,000 IPS rules in it, which can put a lot of overhead on your firewall. If you choose the recommendations, as long as you update them regularly, you might be able to get your rule set down to only 1,000 or 1,500, which is a significant reduction in a base rule set. This means that the firewall will give you better performance because there are less rules being checked unnecessarily. That is really useful. 

Cisco implemented a role-based access control for Firepower, so you can have very granular accounts. For example, a service desk analyst could have read-only access. If we have a security operations team, then they could have access to update IPS vulnerability databases. A network engineer could have access to update ACLs, not rules, which is quite useful. Also, you can selectively push out parts of the policy package based on your role-based access control. So, if you have one job role and work on one part of the configuration, and I work on another job role working on a different part of the configuration, then I could just deploy the changes that I have made without affecting what you are doing (or without pushing out your changes). It is quite nice to be able to do that in that way.

View full review »
JV
Project Engineer at Telindus B.V.

I have experience with SonicWall, Fortinet, Juniper, and Sophos firewalls, among others. We work with Fortinet and Palo Alto. It's not that we only do Cisco. But I can say from my experience that I am really more convinced about Cisco products.

What customers really like about Cisco, the number-one thing that they are really happy about within Firepower—and it was also in the old ASA code, but it's even more a feature in Firepower—is that the configuration is in modules. It's modular. You have different policies for the different functions within your firewall, so that your access control policy is only for your access lists and that's it. You have a different network address translation policy. It's all separated into different policies, so a customer knows exactly where to look to configure something, to change something, or to look at something which is not working properly.

Also, with Cisco, when a customer is not totally certain about a change he's going to make, he can make a copy of the specific access control policy or the NAT policy. If something doesn't go right, he can assign the copied policy back to the device and everything is back to the way it was. 

These are the biggest advantages our customers see. When a customer doesn't have any knowledge about firewalls, I can explain the basics in a couple of hours and they have enough familiarity to start working with it. They see the different modules and they know how to make a backup of a specific module so that they can go back to the previous state if something goes wrong.

View full review »
Practice Lead at IPConsul

The IPS is one of the top features that I love.

The dashboard of the Firepower Management Center (FMC) has improved. The UI has been updated to look like a 2021 UI, instead of what it was before. It is easy to use and navigate. In the beginning, the push of the config was very slow. Now, we are able to push away some conflicts very quickly. We are also getting new features with each release. For example, when you are applying something and have a bad configuration, then you can quickly roll back to when it was not there. So, there have been a lot of improvements in terms of UI and configuration.

View full review »
IT Technical Manager at Adventist Health

We found that the initial setup using Firepower products was actually very simple. The initial configuration for the Management Console was very straightforward. Adding devices usually takes a few minutes. And then once you've got them physically set up in your Management Console, it's streamlined. It's actually very simple.

One of the great features of having the Cisco Firepower Management Console is having the ability to group. So we have each one of our hospitals as a group, so we can actually do any device configuration within a group. They're HA so that when we do an upgrade, it is seamless because when it fires off the upgrade, it will actually force the HA over automatically as part of the upgrade. And the other part of that is policy management. We have several policies, but specifically, one for the general use at our hospitals has been phenomenal because you build out one policy and you can push that out to all of your end nodes with one push.

We require two staff members to actually implement and devise the initial configuration.

At my company, you have to be at least a senior or an architect in order to manage any type of firewalling, whether that's the IPS, the actual firewall itself, or AnyConnect. So we have senior network engineers that are assigned for that task.

We typically have one person that will actually rotate through the group for the maintenance. There's a senior network engineer that will maintain that on a daily basis. Typically, it doesn't take maintenance every day. The biggest maintenance for us comes to updating policy, verifying the geolocation information is correct, and any upgrades in the future. So typically that takes about one to two people.

View full review »
Network & Security Engineer at Oman LNG L.L.C.

It integrates with other Cisco products. We use Cisco ASA and Cisco FTD, and we also use Cisco FMC for monitoring and creating policies. For internal network monitoring purposes, we use Cisco Prime. We also use Cisco ISE. For troubleshooting and monitoring, we can do a deep inspection in Cisco FMC. We can reach the host and website. We can also do web filtering and check at what time an activity happened or browsing was done. We can get information about the host, subnet, timing, source, and destination. We can easily identify these things about a threat and do reporting. We can also troubleshoot site-to-site VPN and client VPN. So, we can easily manage and troubleshoot these things.

Cisco FMC is the management tool that we use to manage our firewalls. It makes it easy to deploy the policies, identify issues, and troubleshoot them. We create policies in Cisco FMC and then deploy them to the firewall. If anything is wrong with the primary FMC, the control is switched to a secondary FMC. It is also disconnected from the firewall, and we can manage the firewall individually for the time being. There is no effect on the firewall and network traffic.

Cisco FMC saves our time in terms of management and troubleshooting. Instead of individually deploying a policy on each firewall, we can easily push a policy to as many firewalls as we want by using Cisco FMC. We just create a policy and then select the firewalls to which we want to push it. Similarly, if we want to upgrade our firewalls, instead of individually logging in to each firewall and taking a backup, we can use Cisco FMC to take a backup of all firewalls. After that, we can do the upgrade. If Cisco FMC or the firewall goes down, we can just upload the backup, and everything in the configuration will just come back. 

We can also see the health status of our network by using Cisco FMC. On one screen, we can see the whole firewall activity. We can see policies, backups, and reports. If our management asks for information about how many rules are there, how many ports are open, how many matching policies are there, and which public IP is there, we can log in to Cisco FMC to see the complete configuration. We can also generate reports.

With Cisco FMC, we can create reports on a daily, weekly, or monthly basis. We can also get information about the high utilization of our internet bandwidth by email. In Cisco FMC, we can configure the option to alert us through email or SMS. It is very easy.

View full review »
GS
Information Security and Compliance Manager at RSwitch

The initial setup is 50/50, between straightforward and complex. Migrating from Cisco to another Cisco product is okay, but migrating to Cisco from other network devices, like an IBM switch, is a bit tricky. You can't test the configuration to see if it's the same as what you're going to. But we managed with support from Cisco.

It took a month to complete the deployment.

Our implementation strategy was based on not upgrading everything at the same time. It was phased. We deployed a specific device and then we monitored everything to make sure everything looked okay, and then we moved on to the next one.

It requires a minimum of two people for deployment and maintenance, from our network and security teams.

View full review »
Engineering Services Manager at a tech services company with 201-500 employees

It may sound a bit strange, but one of the most valuable features of Firepower 7.0 is the "live log" type feature called Unified Event Viewer. That view has been really good in helping me get to data faster, decreasing the amount of time it takes to find information, and allowing me to fix problems faster. I've found that to be incredibly valuable because it's a lot easier to get to some points of data now.

Also, the new UI is always getting better from version to version. In the beginning, when it came to managing Cisco Secure Firewall, it wasn't always the easiest, but with 6.7 and 7.0, it's gotten easier and easier. It's a pretty easy system to manage. It's especially beneficial for people who are familiar with ASA logic because a lot of the Firepower logic is the same. For those people, they're just relearning where the buttons are, as opposed to having to figure out how to configure things.

I've used the backup VTI tunnel and that's a feature that lets me create some redundancy for my route-based stuff and it works pretty well. I haven't had any issues with it

Firepower 7.0 also has fantastic Dynamic Access Policies that allow me to replicate a lot of the configurations that were missing and that made it difficult to move off the old ASA platform for some customers. The addition of that capability has removed that limitation and has allowed me to move forward with implementing 7.0. 

Snort 3 is one of the biggest points on Firepower 7.0. I've been using Snort 3 for quite a while and, while I don't have a ton of customers on it, I do have some who are running on it and it's worked out pretty well. In their use cases, there wasn't a lot of risk, so that's why we started with it. Snort 3 has some huge advantages when it comes to performance and policy and how it's applying things and processing the flows.

Dynamic Objects have also been really critical. They're very valuable. Version to version, they're adding a lot more features onto Dynamic Objects, and I'm a big fan. 

I've also used the Upgrade Wizard quite a bit to upgrade the firmware. 

And on the management side, there are the health modules. They added a "metric ton" of them to the FMC [Firepower Management Center]. In version 6.7 they released this new health monitor which makes it a lot easier to see data and get to information faster. It's quite nice looking, as opposed to CLI. The new health modules really do stand out as a great way to get to some of that health data quickly—things like interface information, statistics, drops—that were harder to get to before. I can now see them over time, as opposed to at just a point in time. I've used that a lot and it has been very helpful.

In addition, there is the global search for policy and objects. I use that quite a bit in the search bar. It's a great way to get some information faster. Even if I have to pivot away from the screen I'm on, it's still great to be able to get to it very quickly there. 

In a lot of ways, they've addressed some of the biggest complaints, like the "housekeeping" stuff where you have to move around your management system or when it comes to making configuration changes. That has improved from version to version and 7.0 is different. They've added more and have made it easier to get from point A to point B and to consume a lot of that data quickly. That allows me to hop in and do some data validation much faster, without having to search and wait and search and wait. I can get to some of that data quicker to make changes and to fix things. It adds to the overall administrator experience. When operating this technology I'm able to get places faster, rather than it being a type of bottleneck.

There is also the visibility the solution gives you when doing deep packet inspection. It blows up the packet, it matches application types, and it matches web apps. If you're doing SSL decryption it can pinpoint it even further than that. It's able to pull encrypted apps apart and tell me a lot about them. There's a lot of information that 7.0 is bringing to the forefront about flows of data, what it is, and what it's doing. The deep packet inspection and the application visibility portion and Snort are really essential to managing a modern firewall. Firepower does a bang-up job of it, by bringing that data to the forefront.

It's a good box for visibility at the Layer 7 level. If you need Layer 7 visibility, Firepower is going to be able to do that for you. Between VLANs, it does a good job. It's able to look at that Layer 7 data and do some good filtering based on those types of rules.

View full review »
Untangle NG Firewall: Configuration
Owner (Senior Systems Engineer) at 3Kay Solutions

At this stage, I think the SSL decryption option can be streamlined.

I think decryption transparency could be improved because you basically click a button and then you set up one rule-set and that's about it. I've noticed there's a problem on some sites where it doesn't do the proper decryption. I actually had to go through the application control module, and logs to see what was happening, and why some sites could not function, before I could decipher that it was the SSL decryption that was blocking the sites. I would like to see more hands-on configuration in that respect.

Update:- 10/26/2020

Untangle now supports TLS v1.3. So far testing has yielded positive results and I have not really had to bypass most of the sites we browse to, after resetting the policies to default.

View full review »
Founding Partner - Technology Director at VSN LATAM

It is straightforward. Our target market is the small and medium companies that don't have IT departments and a firewall specialist. We provide the Untangle solution and the management of the solution for a quote. 

Most of the implementations are simple. However, we have implemented Untangle solution to replace Fortinet in a financial group in Mexico. This was the most complex configuration that we have handled. There were 65 locations with voiceover IP and some other features. We had to create balance and recovery from the cluster. 

Our last implementation took less than a week. You need just two people for its deployment and maintenance.

View full review »
Owner at ThinkEzIT

We do a lot of Voice over IP, which is one of the features that I like about it. The firewall works really well with Voice over IP.

They have a command center that makes it easy to log into and see all of your appliances nationwide.

The reporting is wonderful. You can run reports and they are very helpful.

The alerting is great. It will send you alerts when there is any nonsense going on. For example, you will get alerts on DDoS types of attacks.

It has wonderful content filtering built into it. They also have a cap portal feature that is pretty good. It has several useful interesting features included.

The VPNs are great too, they are wonderful.

We set up RDP on our clients, but it's Atlanta LAN, the LAN RDP. If you get on the VPN, then the allow group, you can actually RDP, you make the VPN connection to it. You can also then do a site-to-site VPN and they make it very simple. Overall, the VPN features are wonderful.

The zero deployments are wonderful with this. With Zero deployment, you don't have to touch the firewall. When the firewall arrives on-site, you have a smart hands technician to unplug the old one and you plug in the new one. It automatically downloads the configuration offline. No technician will ever have to physically touch that firewall. It can all be done through the command center once the firewall connects to it. Everything is automatically added once you purchase it and it will download the proper configuration for that site.

View full review »
Palo Alto Networks VM-Series: Configuration
VG
IT Security Head with 1,001-5,000 employees

The initial setup is straightforward and easy. 

The deployment will take a couple of hours at the max and will depend on the configuration that you are looking for. Palo Alto will give you a report that recommends policies that are based on industry standards. For example, if you have approved Telnet access then you will be warned because it is not recommended and you should be using SSH instead. They will give you lots of recommendations to warn that the configuration does not follow the standard practice and if allowed to remain then it will explain what vulnerabilities you might face in the future. This kind of report is really valuable.

View full review »
NK
Senior Manager Network Engineering at a manufacturing company with 10,001+ employees

With any organization, if you want to change the firewalls that are being used in production then it's a hectic task. You have some rules and engines that can be used, but it's a step-by-step process.

Migrating from an existing solution to Palo Alto needs to be done in phases. Phase one would be installing the devices. Phase two is testing a lab setup and diverting traffic, then analyzing it. Finally, the third phase is to enable other features like threat protection, malware detection, and other advanced options.

Depending on the size of the organization, if a migration is well planned then it will take three to four months to complete.

The configuration is different between our branch offices in order to meet our requirements. Some use the hardware appliance, whereas others use the software version.

View full review »
JL
Executive Cyber Security Consultant at a tech services company with 11-50 employees

I have clients whose architecture is configured in a lot of different ways and combinations. I use a lot of different products and make recommendations based on specific situations. For example:  

  • I have one client that actually uses multiple VM-series and then at each one of their physical sites that have the K2-series — or the physical counterpart of the VM-series.  
  • I have other clients that use Fortinet AlarmNet. As a matter of fact, almost all my healthcare providers use Fortinet products.  
  • I have another customer that used to be on F5s and they had had some issues so switched to Fortinet.  
  • I have a couple of holdouts out there that are still using the old Cisco firewalls who refuse to change.  
  • I have a new client that is using a Nokia firewall which is a somewhat unique choice.  

I have a customer that used to be on F5s and they had had some issues. The result of the issue was that they came to me and we did an evaluation of what they really needed. They came in and they said, "We need you to do an evaluation and when you are done with the evaluation, you need to tell us that we need Palo Alto firewalls." I said that was great and I sat down and got to work building the side-by-side comparison of the four firewalls that they wanted to look at. When I was done, just like they wanted the Palo Alto firewall was right there as the first one on the list. They selected the Fortinet firewall instead.  

Nokia is specifically designed to address the LTE (Long Term Evolution, wireless data transmission) threats with faster networks and such. So it is probably not considered to be a mainstream firewall. The client who uses Nokia is a service provider using it on a cellular network. They are a utility and they are using Nokia on a cellular network to protect all their cellular systems and their automated cellular operations. The old Nokia firewalls — the one on frames — was called NetGuard. This client originally had the Palo Alto K-series and they switched over to the Nokia solution. That is my brand new Nokia account. They were not happy with the K-series and I am not sure why.  

The thing about Cisco is nobody is ever going to fire you for buying a Cisco product. It is like the old IBM adage. They just say that it is a Cisco product and that automatically makes it good. What they do not seem to acknowledge is that just because their solution is a Cisco product does not necessarily make it the right solution for them. It is really difficult to tell a customer that they are wrong. I do not want to say that it is difficult to tell them in a polite way — because I am always polite with my customers and I am always pretty straightforward with them. But I have to tell them in a way that is convincing. Sometimes it can be hard to change their mind or it might just be impossible.  

When I refer to Cisco, I mean real Cisco firewalls, not Meraki. Meraki is the biggest problem I think that I deal with. I do not have the network folks manage the Meraki firewalls differently than they manage their physical firewalls. I do not want there to be a difference, or there should be as little difference as possible in how the firewalls are handled. They do have some inherent differences. I try not to let them do stuff on the virtual firewalls that they can not do in the physical firewalls. The reason for that is because in defense-related installations it matters. Anytime you are dealing with defense, the closer I can get to maintaining one configuration, the better off I am. Unless something unique pops up in Panorama, I will not differentiate the setups.  

I say that there are differences because there is a little bit of configuration that inherently has to be different when you are talking about physical and virtual firewalls, but not much. I can sanitize the virtual machine and show the cloud provider that since I was going into a .gov environment or a .gov cloud, that it met all the requirements as stated in the Defense Federal Acquisition Regulation Supplement. That is huge for our situation. Of course with a cloud provider, you are not going to have a physical firewall. Had we had a physical firewall, that becomes a bit of a chore because you have got to download the configuration file, then you have got to sanitize the configuration. Things like that become a bit of a burden. Having a VM-Series for that purpose makes it much easier.  

I did not mention Sophos in the list. Sophos does a semi-decent job with that too, by the way. The only problem with Sophos is that they are not enterprise-ready, no matter what they say. I have deployed Sophos in enterprises before, and the old Sophos models did very well. The new ones do very poorly. The SG-Series — Sierra Golf — they are rock solid. As long as we keep going with them, our customers love it. It works. I have one client with 15,000 seats. They are running 11 or 12 of them and they have nothing but great things to say about the product. The second you go to the X-Series, they are not up to the task.  

View full review »
Assistant Professor at Facultatea de Economie și Administrarea Afacerilor din Iași

I am the guy they call up first for the central infrastructure and configuration of the malware, firewall, and main applications, and I use Palo Alto Networks VM-Series for that.

View full review »
Fortinet FortiGate-VM: Configuration
MR
Manager, Infrastructure Support at a construction company with 10,001+ employees

The initial setup was not complex. The implementation proved to be straightforward.

The project took about one week in total, including deployment and configuration.

There was only a single person needed to handle the deployment process.

View full review »
EX
Director at Treasure Technology

For myself, the UI is pretty much perfect. It's much easier to work with than Cisco's FirePOWER, for example. I prefer the way it is designed above everything else, even though Cisco may be better for a different reason. Fortigate is just hands down more intuitive and therefore users need less training. While a non-tech person may need a bit of training in terms of configuration, it's still easier than Cisco.

In terms of general features, I find Fortigate and Cisco very comparable. They technically do the same things. Both can drill down by IP or region, so, application-wise, they're very much the same. 

View full review »
MR
Junior Network Engineer at a tech services company with 11-50 employees

We've had issues with integration. It hasn't gone well.

We have had some stability issues.

There are some instances where configurations can get complex.

View full review »
Chief Technology Officer at cornerstone defense

The product does not have a good graphical interface. Their patches and their upgrades are not always compatible with configuration. That means that often you find after you upgrade that there was something else you have to do to the rest of the infrastructure, whether it's a printer or a user or whatever. It doesn't appear to me that their upgrades are well tested. They usually do what they're supposed to do, however, they also usually do some other things that FortiGate doesn't seem to be aware of.

It doesn't maintain legacy capabilities very well.

The stability of the solution isn't ideal.

They don't seem capable of supporting their own product.

The solution needs a better user interface and more intelligent services like spam blocking and auto whitelisting, gray listing, blacklisting, et cetera. It just basically needs better user monitoring.

View full review »
Technology consultant at a tech services company with 501-1,000 employees


There are certain GUI features that should be present but are not, although these we can address through the command-line interface. We have to make use of this to create certain policies or change the interface layer. These configuration restrictions should be addressed. 

Moreover, the reporting should be upgraded, as there are only a small number of reports available. We also encounter issues on the logging pages. GUI does not allow for live logging and the command-line interface must be used in its stead. The need to rely on CLI should be done away with entirely. 

While we consider the solution to be user-friendly, certain improvements should be made in this respect. 

View full review »
MA
Consultant at a comms service provider with 11-50 employees

There should be more options to use lower-end models in a high availability configuration.

They should continue to improve the traffic shaping; they should add some AI to the traffic shaping. They should also consider learning from other organizations as opposed to just internally. They should follow patterns instead of everyone having to recognize patterns and make adjustments on their own. Instead, they should add some form of intelligence to guide administrators in best practices with traffic shaping. I think this will become very important as we move more toward a SaaS-type world. 

View full review »
AR
IT Specialist at a tech services company with 51-200 employees

I work with a service provider and he sells service in cloud and FortiGate products, including FortiGate VMs. With this, he sells services, and I work with him on support and initial configurations or deactivations for customers. 

I work with various versions of the solution, the latest being 7.7.

We use a variety of deployments, including on-premise and in public clouds. Not an American public cloud, however. Rather, it's a public cloud here in South America.

I'd rate the solution at a ten out of ten. the product is excellent and I am very happy with it overall.

View full review »
TM
Network Administrator at Furnmart

I previously used pfSense but found it was a bit complicated in terms of configuration and didn't give periodic updates. I switched to FortiGate because they were very consistent in giving updates on outbreaks and what they were doing to resolve them.

View full review »
Full support analyst at Gruppen

My experience with the solution has been very positive and Fortinet provides a great layer of security when it comes to SD-WAN and other security capabilities. There are many models available to suit a host of environments. 

The solution is extremely easy and friendly. The configuration, graphical interface and command line are easy to use.

View full review »
OPNsense: Configuration
OT/ICS Information Security Specialist at SANS

I have some issues with OPNsense. I have created a virtual machine that I've lost connection at times and I am not able to connect to the gateway or ping the internet. When I started with OPNsense, it worked right away. It may be an issue with the virtual machine itself. I am currently setting up the protection on all of the virtual machines so they will connect to OPNsense and the internet, or anywhere they need to access.

I have tried to download some malicious files or a virus and it should dump the files and prevent the download, but I don't seem to get any notification or warnings.

It may be an issue with the configuration but I am not sure.

I would like to see improvements made to connectivity and alerting.

I wanted to deploy this solution in our organization and some of the workstations from remote sites but it's not reliable enough to do that yet.

In the next release, I would like to see real traffic monitoring and more visibility. Also, for the antivirus, I would like to see the files protected by ClamAV. 

I would like to see intelligence in OPNsense and have the option to apply it or not.

They need a threat intelligence tool similar to the one they would find with Cisco. It will show you the file hashes, all of the IFCs, the niches, the address information, and more.  With all of this information, you can be proactive and block the malicious file hashes, all of the malicious IP addresses, and the public IP addresses. It should help you be proactive.

It would be helpful to have OPNsense be one of the plugins, and they should include traffic capturing. With Palo Alto, you can monitor and specify which interface you want to monitor, the source IP, or you can specify the network and see the traffic that is coming from the VLAN, the destination, and any files being transferred over the network.

If you apply security profiles you can see the signatures.

View full review »
CA
Owner and business consultant at networks srl

We plan to continue using this solution. Right now, we are settling our networks. We plan to expand its usage, but I don't think it will happen until 2022.

It has a good user interface. Its configuration is simple but requires a little planning. It is much simpler than the Cisco ASA configuration.

I would recommend this solution. I would rate OPNsense a nine out of ten. I am happy with it.

View full review »
Check Point NGFW: Configuration
Security and Network Engineer at a tech services company with 501-1,000 employees

The Check Point NGFW is the best product that I have ever used. It has pluses and minuses, as do others, but the usability, simplicity, and the configuration abilities are very user-friendly. After a while, other vendors just don’t come close to it.

The second thing is that is just works and it does it with ease. The upgrades and bug fixes are frequent and well documented. Also, the patches just work ;-)

There are some negatives but as I already said, they aren’t many and from my point of view, we can see past them.

View full review »
RF
Manager for Operations, Security and Management at REN - Rede Energeticas Nacionais, S.A.

The initial setup is pretty simple. The amount of time required for deployment depends on the number of rules that need to be configured. The initial setup can be done in one day, and the post-setup configuration depends on the rules to be applied.

View full review »
Network Security Consultant at Atos Syntel

We are an IBM OEM company who received installation support from that vendor. They provided all the network connectivity.

For our implementation, we:

  1. Started with an initial diagram of the configurations and what we want to see after the installation.
  2. Segregated the SonicWall and Check Point tools for the migration since we used automation.
  3. Checked the mode of installation. We went with transparent mode.
  4. Collected the IPs for the firewall. It required multiple IPs because with we have cluster nodes.
  5. Assessed the feasibility of Check Point in our environment.

For our strategy, we looked at:

  • How many users are in all our offices? For example, is it a small office, mid-size office, or data center?
  • Using high-end versus lower-end devices, e.g., lower-end devices means a smaller price tag.

A smaller office of less than 500 people would get a 4000 Series. Whereas, a larger office would get a 5600 or 7000 Series. We have to be focused on the natural topology.

View full review »
Senior Network and Security Engineer at a computer software company with 201-500 employees

We have had several support cases opened. Some of the were resolved by installing the latest recommended JumoHotfix, some required additional configuration on OS kernel level (e.g. TCP MSS clamping). The longest issue took about one month to be resolved, which we consider too long.

View full review »
Security Analyst at HOST

I hope for product simplification. It would be better to use one security console, instead of many of them (for licensing and monitoring). The solution is hard for newcomers and takes much time to deep in. Also, I want a historical graph for throughput and system resources usage. Maybe it will be great to make easy step-by-step installation and configuration cookbooks as Fortinet did, and integrate the documentation within the solution. In most cases, the solution works great and I recommend it for our customers.

View full review »
GG
Security and Platforms Engineer at a educational organization with 201-500 employees

The initial setup is really easy. You can do it in 30 minutes. Setting up an environment for a firewall and its management with a licensed demo took me an hour last week, and that includes the time for configuring the rules. The whole installation is 30 minutes and the configuration is another 30 minutes.

If you are implementing from another vendor, Check Point has a program called SmartMove. Then, all you need is the configuration of the previous firewall. Once you do some optimization, then you are ready for the integration. This might take a month overall.

View full review »
IK
Security Expert at a aerospace/defense firm with 10,001+ employees

Their management features are the best, from one point of view, but they are too heavy. For example, if you are looking at a configuration file, you can't just browse through it and see all the configurations like you can with other vendors, like Cisco and Fortigate. With those solutions you can just go over the configuration file and read all the objects and the policies, etc. 

Because of the Check Point architecture, the data file itself is huge if you're comparing it to the data files of other vendors. The difference is something like 3 Mb to 1 Gb. It's not so straightforward. 

The data process is also not so simple. You don't just load a text file which has all the configuration. It's a more complex process to restore it from a backup, when it comes to Check Point.

View full review »
Associate Consultant at a tech services company with 10,001+ employees

It gives us centralized management for multiple firewalls. For example, if I want to push the same configuration to 10 firewalls, I can push it all at once with the help of the centralized management system.

It is easy to use because it supports Linux language in the CLI. This is a good for someone who already knows Linux language.

View full review »
KK
IT Specialist at a tech services company with 10,001+ employees

In advance, we get security vulnerabilities. So, we can configure new security policies, update our antivirus, or check the configuration to protect the environment.

View full review »
Network & Systems Administrator I at DMH

I have set up replacements and it's very straightforward. It's very easy. It's much easier than some of the other network equipment that I've had to deal with. Check Point provides a wizard that walks you through the process and that streamlines the entire process. They also provide instructions on how to go about getting to the wizard and the process that we needed to take to complete that configuration. It was relatively painless.

The replacement was configured in one day and deployed the next, with no issues.

There are five of us in our company who have management access. I'm the network administrator, and I've got four IT technicians who work under me and assist in the firewall configuration and deployment.

View full review »
Network Security Consultant at a energy/utilities company with 5,001-10,000 employees

For the infrastructure in question, we have always used Check Point firewalls.

I have worked with Cisco ASA. Cisco is more CLI oriented, whereas Check Point is more GUI oriented. With the GUI, it's easier to manage and administrate it. If the configuration becomes bigger and bigger, it is really easy to see things in the GUI versus a CLI.

The advantage of the CLI is that you can create scripts and execute them. But the disadvantage is that they become so lengthy that it becomes very difficult to manage.

View full review »
Security Engineer at Hitachi Systems

I have done four to five initial setups and configurations of firewalls, which have been completely fine and proper. There are no improvements needed.

For one firewall, it will take around two and a half hours to configure the interface and everything else. For the deployment of one firewall, it will take around two and a half hours. If you want to make any clusters, then it is around five to six hours. 

View full review »
Network security engineer at Fidelity Bank

The VPN part was actually one of the most complex parts for us. It was not easy for us to switch from Cisco, because of one particular part of the integration: connecting the Check Point device to an Entrust server. Entrust is a solution that provides two-factor authentication. We got around it by using another server, a solution called RADIUS.

It was very difficult to integrate the VPN. Until now, we still don't know why it didn't work. With our previous environment, Cisco, it worked seamlessly. We could connect an Active Directory server to a two-factor authentication server, and that to the firewall. But when we came onboard with Check Point, the point-of-sale said it's possible for you to use what you have on your old infrastructure. We tried with the same configurations, and we even invited the vendor that provided the stuff for us, but we were not able to go about it. At the end of day they had to use a different two-FA solution. I don't if Check Point has a limitation in connecting with other two-FAs. Maybe it only connects with Microsoft two-FA or Google two-FA or some proprietary two-FA. They could work on this issue to make it easier.

Apart from that, we are coming from something that was not so good to something that is much better.

View full review »
JM
Network Security Engineer/Architect at a tech services company with 1,001-5,000 employees

Upgrades and debugging of the operating system, as well as the backups and restores of configuration, need improvement. 

Debugging is very complex when compared to Fortinet, for example. That's the worst thing about Check Point. The deployment of the solution is harder than it is with the competitors. But after you've deployed it, the operation is easy.

View full review »
IT-Infrastruktur at Synthesa Chemie Ges.m.b.H

Check Point has improved our organization in the following ways:

  • Provides for central management over all of the Check Point gateways
  • Maintains a changelog that shows which users have made changes
  • Version control allows us to roll back a ruleset after, for example, a misconfiguration
  • Offers very granular application control
  • Allows for various internet permissions for various users
  • Gives us very good logging, which is nice for troubleshooting because you can instantly which rule is affected for each action
  • The cloud gateway (Check Point Capsule Cloud) ensures that users are getting the same internet permissions as they would if inside the company, no matter which internet connection they are using
View full review »
AR
Firewall Administrator at a tech services company with 1,001-5,000 employees

Per my experience, it is very easy to scale these firewalls, because they are combined with the central management point. It is very easy to push the same configuration to different firewalls at the same time. It does not take much time to extend usage.

We use them throughout our organization. Currently we have used them for around 50 percent of our needs and there is definitely a room to grow. In the future we will definitely try to increase usage, if it is required.

View full review »
AP
IT Infrastructure & Cyber Security Manager at a retailer with 501-1,000 employees

It was really pretty straight forward because we upgraded from an older Check Point product. The installation and the assimilation of the new firewall was very quick with almost no downtime and almost no problems.

We deployed four firewalls in two clusters and, all in all, it took about one day of work; half a day for each side. That includes the installation, the configuration, and the exporting of the configuration from the old system and, of course, all the fixes and patches.

On our side there was one person involved in the initial setup, just to make sure that everything was going okay and, after the installation, to do all the checks and verify that everything was working fine and as needed.

View full review »
Network Security Assurance Specialist at Visa Inc.

The main use case is Firewall provisioning and integration with Tufin and Skybox. Also, we focus on firewall compliance, rule review, VPN configuration, and network troubleshooting.

View full review »
KK
Network Associate at a wireless company with 1,001-5,000 employees

I like the antivirus, attack prevention, three-layer architecture, and data center management features.

The antivirus updates are quite frequent, which is something that I like.

Central management is a key feature. We have between five and ten firewalls on-premises, and if we want to configure or push the same configuration to all of the firewalls, then the centralized management system is very helpful. It means that we only have to push the configuration once and it gets published on all of the firewalls.

View full review »
DD
Sr. Network Engineer at a tech services company with 1,001-5,000 employees

We currently use Check Point and Cisco ASA. The purpose for the company is to increase the security. They were only using Cisco ASA Firewall, which is kind of a degrading firewall right now because it lacks many features, which are advanced in Check Point Firewall. With Cisco ASA, we need to purchase additional IPS hardware. But, for Check Point, we do not require that. Also, if we want the same configuration for multiple firewalls at a time, then Cisco ASA does not support that. We have to create the same policy in each firewall.

View full review »
Associate Consult at Atos

It has not only improved our environment but the entire organization. Adopting it brings better functionality.

Starting from the basic firewall blade to sandbox threat emulation and threat extraction, it works seamlessly to protect against both known and unknown malware.

After the version 80.xx migration, Check Point stability and security have improved tremendously.

Through the management server, it has become very easy to manage the configuration for each of the blades, as well as the day-to-day operations. With central management, it has become possible to manage endpoint devices as well.

View full review »
RG
Network Security Engineer at a tech services company with 10,001+ employees

The first phase of the implementation is to plan the firewall deployment. After that, we do the configuration and validate it. In the case of a Check Point firewall, this process will take between two and three months to complete.

The complexity of the process depends on the features that you want to add. In general, it is straightforward and not too complex.

View full review »
MP
Network Security Engineer at a tech services company with 10,001+ employees

Prior to Check Point, we were using Cisco ASA.

The problem with Cisco ASA is that it is a purely CLl-based firewall. Check Point is not only UI and CLI-based, but it is also a next-generation firewall. It has many different and more advanced features, compared to Cisco ASA.

For example, in Cisco ASA, we can use only two gateways in active-active mode, but with this product, we can use five gateways at a time. Another difference is that the Cisco ASA policy configuration options are not as granular as Check Point.

View full review »
Technology consultant at a tech services company with 501-1,000 employees

Check Point's new Smart dashboard has an all-in-one configuration interface. They provide a very easy configuration for NAT and one tick for source & destination NAT is possible.

Policies can be configured in a more organized way using a section & layered approach.

Application control has all of the required application data to introduce it into policy and the URL filtering works great, although creating regular expressions is complicated.

The software upgrade procedure is very easy; it just needs few clicks & we are done.

View full review »
Cybersecurity Engineer at Insurance Company

The virtual systems solution (VSX under Check Point terminology) has provided the company the ability to improve performance and adapt to the network and security needs in a flexible way, as the network has been possible to be redesigned at any time and put an additional firewall where there wasn't before without more hardware. At the same time, the costs of the solution are known and limited, as you pay for a bundle of firewall licenses and your hardware purchased.

The NGFW security solution scales well and easily when needed as long as your hardware (performance) admits it. And having a central management system that allows us to share the same object database and different configurations have allowed us to improve the platform operating time. Due to this, we can implement the security needs of more proyects than we used to.

View full review »
Senior Network Engineer at LTI - Larsen & Toubro Infotech

Configurations can be complex in some situations and need experienced engineers for managing the solution.

Integration with a third-party authentication mechanism is tricky and needs to be planned well.

SmartView monitor can be enhanced to display granular details of gateways with a single click. Also, having the ability to generate alerts from the Smart Monitor would be a nice feature.

View full review »
Network Administrator at Secretaría de Finanzas de Aguascalientes

Within the organization, the inspection of packages has given us great help in detecting traffic that may be a threat to the institution.

The configuration of policies has allowed us to maintain control of access and users for each institution that is incorporated into our headquarters. It is well organized.

Some other of the services that have worked well for us are antivirus, anti-bot, and URL filtering. Together, these have allowed us to maintain control and organization amongst the users.

Another one of the pluses that have helped us a lot has been the IPsec VPN, especially in these times of pandemic.

View full review »
Senior Manager at a financial services firm with 10,001+ employees

This is a zone-based firewall, which differs from other firewall solutions available on the market. It changes the way the admin manages firewall policy. The administrator has to be careful while defining policy because it can lead to configuration errors, allowing unwanted access.

For example, if a user needs to access the internet on the HTTPS port, then the administrator has to create a policy as below, rather than using NAT for assigning the user's machine to a public IP.

Source: User machine
Destination: any
Port: HTTPS
Action: allow (for allowing the user's machine access)

This has to be done along with the below policy:

Source: User machine
Destination: Other Zone created on Firewall
Port: HTTPS
Action: block 

The two policies, together, mean that the user's machine will not be able to communicate with any other L3 Network created on the firewall.

The firewall throughput or performance reduces drastically after enabling each module/blade.

It does not provide for standalone configuration on the security gateway. Instead, you need to have a management server/smart console for managing it. This can be deployed on a dedicated server or can be deployed on the security gateway itself.

View full review »
User at Johnson Controls, Inc.

We greatly appreciate the ease of configuring firewall policy ACL rules and how the seamless integration with VPN users and user groups provides the ability to granularly restrict access. The uncomplicated configuration ensures that mistakes are avoided and rules are easily audited.

Having the ability to set an expiration date for remote access VPN users simplifies the process and increases security by ensuring that stale accounts and not forgotten.

In general, we find that CheckPoint offers a great balance between ease of use and configurability.

View full review »
JC
CTO at a computer software company with 11-50 employees

Easy setup and configuration by a non-network/security person.

View full review »
User

Remote access with a secure workspace provides a clear separation between the client and corporate network. 

Threat Emulation (sandboxing) is great for zero-day malware and it is easy to configure. 

Logging and administration are best-of-breed. You can quickly trace back on all sorts of logs in no time. 

IPS and AV rules are granular and specific for the rules that you need. 

The geolocation feature is good for dropping irrelevant traffic. 

Configuration through SMS is quick and easy. It eliminates administration errors while checking consistency before applying a policy.

View full review »
Network Security Engineer at a consumer goods company with 201-500 employees

Until you have some experience, the installation and configuration are difficult.

View full review »
DZ
Security product manager at RRC

Its initial setup is easy for me. The deployment duration varies. A simple deployment takes two or three days. A complex deployment that involves a cluster configuration or appliance replacement can take up to five days.

View full review »
Network security engineer at Fidelity Bank

We use this solution for permissions regarding access ports and services. We also use Check Point Remote Access VPN as an endpoint VPN. We use it for site-to-site configuration

All of the traffic that comes through our sites passes through our firewall. Basically, everyone, including our staff and clients, passes through our firewall. In other words, we have thousands of users using this solution.

View full review »
PI
IT Manager at a comms service provider with 51-200 employees

The implementation was through a vendor, and the installation went really well. The consultant was Check Point certified and explained everything in detail.

Later on, we added new remote sites to the configuration (in-house) without any problem. We didn't need to check with the vendor.

View full review »
Subgerente de Tecnologías de la Información at ETAPA EP

The URL filter is activated to filter access to our employees. We use filtering for VPN access.

The configuration is one of the best features of this product.

When this product was purchased approximately 12 years ago it was the top of the line.

The product has been working very well.

I don't have any issues with the software of this solution. It works as is expected.

View full review »
AS
User at a financial services firm with 10,001+ employees

I have been designing, deploying, implementing, and operating Check Point's Security solutions including NGFWs and EndPoint security as well as Remote Access VPNs, Intrusion Prevention systems, URL filtering, user identity, UTMs, et cetera, for around 12 years. 

I have also used VSX and MDS/MDLS solutions. In my organisation I am using over 150 virtual and physical appliances and also MDS for virtualized/contanerized central configuration management and also central log management MDLS/MLM. We are using this not just for NGFW but also for other Perimeter security solutions.

View full review »
RS
IT Manager at a transportation company with 501-1,000 employees

The web interface was easy for me. The configuration is logical, so it's easy to use and easy to understand how to protect, how to open a port, how to manage, and how to route a device. That's why I prefer Check Point. It's robust and I never have issues with the hardware.

View full review »
PL
Firewall Engineer at a logistics company with 1,001-5,000 employees

Firewalling is one of Check Point's core business attributes, and it just works.

Creating site-to-site VPNs between Check Point Gateways that are within the same management is unbelievably easy. If you create VPNs for 3rd parties and there are mismatches or issues, you will see logs that help pinpoint issues or misconfiguration.

Application control help with identifying applications and therefore makes firewall rules easier since changing ports don't have to be adapted every time an application changes or updates.

View full review »
BU
System Security Engineer at Ziraat Teknoloji

In some features, it is not easy to use the Check Point firewall. 

The IPSEC VPN setup is not easy to configure. In some cases, if the VPN is not established, it is very hard to troubleshoot the configuration. It does not address the problem well. 

The upgrading process takes too much time.

View full review »
Project Manager at Junta de Andalucia

The initial configuration was simple. The previous team was also using Check Point, we only had to export and update the rules. Only a couple of things had to be corrected and changed.

View full review »
NM
Logical Security Deputy Manager - IT at a financial services firm with 1,001-5,000 employees

Check Point offers a reliable firewall solution with VPN options that have allowed us to establish secure and stable connections with other companies and users in a very simple way.

Simple and centralized administration has allowed us to manage all the firewall nodes from a single console, facilitating the deployment of firewalls through the network, since a large part of the configurations and access rules, as well as the protection controls, are managed from a single console and via centralized maintenance.

View full review »
BI
Technology Architect at BearingPoint

The setup is pretty straightforward, at least for the basic setup. Even with more complicated configurations, you have good support and experts at Check Point in the background that can help.

View full review »
BZ
IT System Operations Manager at Hamamatsu Photonics KK

They offer very scalable solutions to extend compute resources if needed so initial sizing isn't too much of an issue as you can easily add more resources if needed. Reliability is a major factor in any hardware or software solution, and Check Point uses leading-edge hardware, and their software upgrade process is flexible for various deployment requirements. 

Policy configuration has been consistent over the years, so there is not much of a learning curve as upgrades are released. 

Their threat analysis reporting from their management console is very comprehensive and easy to use. Their web-based dashboard is well designed and offers many out-of-the-box reporting, and provides admins extensive customizations.

View full review »
ES
Innovation Consultant at KPN

Several enterprises, from financial institutions to hospitals, use this product mainly as edge solution. In most cases, the setup was based on a redundant configuration. Other cases which have been rolled out are based on smaller devices in office locations and larger devices in the central datacenter of the customer. As an MSSP we trust the reliability of the solutions, since we cannot risk having our reputation being harmed. Our team is perfectly able to manage the devices on a day by day basis using the central management solution.

View full review »
GA
President at NGA Consulting, Inc.

The initial setup is straightforward and plug and play for a basic configuration to get you started. You can then begin building the NAT and policy rules, which are easy enough to do.

View full review »
User at a insurance company with 201-500 employees

Initially, I was using the Cisco ASA5500 series firewall. I never believed there could be better firewall devices in terms of ease of setup and management. The NGFW from Check Point has increased my confidence in terms of performance and ease of configuration with its intuitive interface. It supports the VPN configuration without any unnecessary latency and packet dropping.                                                                                                                              

It blocks over 97% of threats!                                          

View full review »
AO
Head of Technology at African Alliance Plc.

The product is very stable with no crashing or configuration corruption.

View full review »
MC
Executivo de Negócios de TiC at a comms service provider with 10,001+ employees

My customers cite performance and ease of configuration as two of the solution's most valuable features. 

View full review »
JV
Engineer at CENACE

I think the most valuable feature is that the application and configuration were easy for us. When we need to do some work with the networks, configuration and deploying are easy - if I want to search for information, it is easy in the Check Point platform.

View full review »
JJ
Network and Security Engineer at BIMBA & LOLA, S.L.

The centrally managed firewalls are great. We can save a lot of configuration time in configuration tasks. We have deployed about 200 devices in record time due to the fact that we use a unique policy for almost all of them.

Logs, Views and Reports are the most detailed compared to other vendors (FortiGate, etc.) We can see a lot of detail in the logs and also we can configure any report we need without any problem and in two clicks.

We can see that, for IPS signatures, we have updates every day, sometimes twice a day, so we see a lot of effort from the vendor. They really try to protect our environment from known attacks and vulnerabilities.

View full review »
BW
Consultant at work@lim.it Systemhaus

Although there is a lot of automation and pattern that can be classified automatically, the IPS systems are sometimes a little bit complicated, and doing the fine-tuning in over 20,000 patterns is hard to do. This has been improved in the last versions, however, it can still be made a little bit better. 

For example, the automatic classification of which pattern should be activated is very simple yet lacks some special configuration options (for example if you want to have more than one classification pattern for the activation).

The HTTPS inspection is very tricky, too. Since there are a lot of applications that are using certificate pinning, most of the SSL traffic (especially to the big cloud provider) must pass without inspection.

Since attackers also use these clouds, there is a problem in getting your security definitions to work.

Of course, this is not a Check Point-specific problem and rather a problem in the HTTPS inspection itself.

There is the need to know which sites are accessed by our staff and to get the visited URLs, to get the internal security policy working. The SSL classification feature of Check Point is a good intention, yet not as good as needed.

View full review »
TL
Networking engineer at Hewlett Packard Enterprise

The Identity-Based Inspection Control gives us the ability to leverage the organization’s Microsoft AD, LDAP, RADIUS, and Cisco pxGrid. 

The Terminal Servers group membership allows policies to automate typical processes (user moves/add/changes) and decrease configuration changes required on the firewall, which is tremendously beneficial. This limits the integration with the identity store to just one interface, and we still get broad security coverage based on a single set of identity policies. 

We leverage the combination of identity and application awareness, which is mandatory in order to build scalable security policies that protect the business without compromising user experience. This feature is extended to the SmartEvent console.

View full review »
CA
Integration engineer at S21sec

In earlier versions, it was a bit hard to do migrations of Multi-Domain Servers/CMAs, nowadays, with +R80.30 it has gotten much easier. I cannot really think of many things to improve. 

One thing that could be useful is to have a website to analyze CP Infos. This way, it would be much faster to debug problems or check configurations. 

Another thing not very annoying but enough to comment on is when preparing a bootable UBS with the ISOMorphic (Check Point's bootable USB tool), it gives the option to attach a Hotfix. However, this usually causes corrupted ISO installations.

One thing to improve is the VSX gateway. It is quite complex to work with VSX and they are quite easy to break if you aren't familiar with them.

View full review »
MC
Chester at Iocane

Product-wise, I have no real complaints. 

Potential improvements could be made around simplifying VPN functionality and configuration.  

The main area that the organization can improve is around the lack of local, in-state technical support. Competitor vendors have a strong presence in the Adelaide Market, however, Check Point has always been limited with its commitment to staffing local technical resources. If this focus is made, I could see Check Point returning to the strength that it once had in the Adelaide market.

View full review »
NI
Snr Information Security Analyst at The Toronto Star

The product has improved visibility into the traffic going through our network.

For all traffic leaving the network, Check Point provides the capability to inspect and permit traffic using not just ports but application IDs, which is more secure than simply permitting TCP/UDP.

Check Point has a robust IPS Blade which has added an additional layer of security on connections to the data center.

Check Point's compliance blade also helps in checking how Check Point's appliance configuration is in compliance with any requirement that we need to provide evidence for.

View full review »
NT
TitleNetwork Manager at Destinology

Check Point is very feature-rich. There aren't any features missing or that I am awaiting in a future release. 

The only downside to Check Point, is, due to the vast expanse of configurable options, it does become easily overwhelming - especially if your coming from a small business solution like Draytek. 

Check Point comes with a very steep learning curve. However, they do offer a solid knowledge base. Some issues I have encountered in my five years have only been resolvable via manually editing configuration files and using the CLI. Users need to keep this in mind as not everything can be configured via the web interface or their smart dashboard software. 

View full review »
RC
Senior Infrastructure Technical Analyst at https://www.linkedin.com/in/robchaykoski/

I protect customers and other types of data by ensuring a secure environment. Check Point allows me to deploy quickly and securely, along with using more advanced detection and prevention. By securing multiple sites and various infrastructure elements, I have reduced my overall workload.

I'm using a lot of permanent tunnels and protecting them to ensure that monitoring customer infrastructure is not compromised in any way, shape, or form.

Various hardware has been deployed at proper sizing for customers and the equipment is stable without the need for a lot of custom configuration

View full review »
TK
IT Consultant/Engineer at a computer software company with 11-50 employees

You need to merge all the old consoles into one new one and make the interface more convenient for the novice administrator. Until now, the initial settings as well as subsequent changes to the "iron" part of the firewall, namely its interfaces, routing, or DCCP settings, you must use the web interface through a browser. This is inconvenient. Of course, you can use the command-line for these purposes, however, this also complicates the configuration process for the administrator and requires a well-known habit.

View full review »
Palo Alto Networks NG Firewalls: Configuration
AB
Solutions Architect at a comms service provider with 501-1,000 employees

As a solutions architect group, we are what you would call "vendor-agnostic." We evaluate any solution that seems like it may be viable to provide clients with some advantages. I will never go to a customer and say that these are the only products that we are going to support. However, if there is something that a client wants to use which I feel would be detrimental to their business or that doesn't fit their needs, I will encourage them to look at other solutions and explain why the choice they were leaning towards may not be the best. When a solution they want to use means that no matter what we do they are going to get broken into, I'll let them know. It isn't good for their business or ours.

That said, some of the most requested or considered firewall solutions by clients beside Palo Alto are Fortinet, Firepower, and Meraki. Looking at each provides a background into how we look at solutions and how we evaluate options for clients. You have to look at the benefits and disadvantages.

Cisco Firepower NGFW (Next-Generation Firewall)

I think that Firepower can be simplified and can be made into a more viable product in the Cisco line. I think that Cisco has the ability to get into the Firepower management platform and trim it, doing so by breaking down all of the different areas of concern and configuration and categorizing them into overviews, implementation across the board, and steady-state management. If they were to do that, then users could start at the top layer and drill down more as they see fit to customize to their needs. I believe that Cisco can do that with Firepower and make it a much better security tool.

Firepower is not just a firewall, it is an SD-WAN. It is an application that Cisco sells that gets loaded onto an ASA 5500 series appliance (the appliance has to be the X platform). It is not a bad solution. I can use it to get into your network and protect a lot of your customers who will be running traffic through it. But a problem that you are going to get into as a result of using Firepower is that it is extremely difficult to configure. Security engineers that I have handed the setup after a sale came back from the service and asked me never to sell it again because it was very difficult for them to set up. However, it is also very secure. The difficulty is in using the GUI, which is the console that you would log into to set up your rules and applications. It can take about 10 times as long as Meraki to set up, and that is no exaggeration. Palo Alto is easier to set up than Firepower, but not as easy to set up as Meraki. But, the security in Palo Alto is phenomenal compared to Meraki. Firepower is pretty secure. If it was a little easier to operate, I'd be recommending it up one side and down the next, but ease-of-use also comes into play when it comes to recommending products.

I'll support what Firepower has to offer considering the quality of the security. But I can't take anyone seriously who is proud of themselves just because they think their firewall is next generation. It might have that capability but it might not be 'next generation' if it is set up wrong. Some vendors who sell firewall solutions that I've spoken to admit to dancing their customers around the 'next generation' promise and they make amazing claims about what it can do. Things like "This firewall will protect the heck out of your network," or "This firewall has built-in SD-WAN and can save you lots of money." These things are true, perhaps, depending on the clients' needs and the likelihood that they will be able to properly manage the product. 

Firepower is a capable solution but it is difficult to set up and manage.

Cisco Meraki NGFW (Next-Generation Firewall)

Meraki was a horrible acquisition by Cisco and it is harming their name. All of us who are familiar enough with the firewall know how bad that firewall is and we know that Cisco needs to make changes. The acquisition is almost funny. The logic seemed to be something like "Let's buy an inferior security solution and put our name on it." That is a textbook case on how not to run a company.

If Cisco wanted to improve Meraki, the first thing they need to do is simply activate the ability to block an unknown application. Start with that and then also improve utility by blocking every threat by default like other products so that users can open up traffic only to what they need to. That saves innumerable threats right there.

There are situations where Meraki works very well as is. One example is at a coffee shop. What the coffee shop needed for their firewall solution was to have a firewall at every location for guests. The guests go there to eat their donuts, drink their coffee, and surf the internet. The company's need was simply to blockade a VLAN for guest access to the internet while maintaining a VLAN for corporate access. They need corporate access because they need to process their transactions and communications. All corporate devices can only communicate through a VPN to headquarters or through a VPN to the bank. For example, they need to process transactions when somebody uses their debit card at a POS station. It works great at the coffee shop. 

It works great at department stores as well. All employees have a little device on their hip that enables them to find what aisle a product is in when a customer asks them. If the store doesn't have the product on hand, the employee can do a search for another store that does have it in stock right on the device. They can do that right on the spot and use that service for that device. For that reason, they are not going across the internet to find the information they are searching for. They are forced into a secure tunnel for a specific purpose. That is something you can do with Meraki. If you don't let employees surf the web on the device, then Meraki will work.

I can actually give you the methodologies in which hackers are able to completely hack into a Cisco customer's network and steal extremely valuable information. Meraki is the most simple of all firewalls to infiltrate in the industry. It is an extremely dangerous piece of hardware. What comes into play is that Meraki, by default, does the opposite of what all of the other firewalls do. Every firewall not called Meraki will block every means of attack until you start saying to permit things. The Meraki solution is the opposite. Meraki, by default, blocks nothing, and then you have to go in and custom key everything that you want to block. This is dangerous because most people don't know everything in the world that they need to block. With Meraki, you have to get hacked in order to be able to find out. Now, tell me who really wants that.

An example of this is that Meraki cannot block an application it doesn't know about, which means that all unknown applications are forever allowed in by Meraki. If I am a hacker and I know that you are using a Meraki firewall, I can write an application to use for an attack. When I do, it is unknown because I just wrote it today. If I load it up on a website, anybody that goes to that website using a Meraki firewall has this application loaded onto their computer. Meraki can't block it. That application I wrote is designed to copy everything from that person's computer and everything across the network that he or she has access to, up to a server offshore in a non-extradition country. I will have your data. Now I can sell it or I can hold you for ransom on it.

Customers love it because it is simple to configure. I don't even need to be a security architect to sit down at a Meraki console and configure every device across my network. It is an extremely simple device and it's extremely cheap. But you get what you pay for. You are generally going to suffer because of the simplicity. You are going to suffer because of the low cost and "savings."

All I can say about Meraki is that it is cheap and easy to use and fits well in niche situations. If you need broader security capabilities, spend a few bucks on your network and get a better security solution.


Fortinet FortiGate
 NGFW (Next-Generation Firewall)

I'm supportive of Fortinet because it is a decent next-generation firewall solution. While not as secure as Palo Alto, it is a cost-effective and reasonably reliable product. I have customers choose it over Palo Alto. But if they decide to use this solution, I want to charge them to manage it for them. The reason for that is, if anything goes wrong in the network and they get hacked, my client will likely get fired and replaced. If anything goes wrong in the network and I am paid to manage their firewall, I am the one in trouble if they get hacked — not the client. I apply my services to the network, make sure everything is working as it should and give them my business card. I tell them that they can give the business card to their boss if anything goes wrong because the guy on the card is the one to blame. That way I remain sure that nothing will go wrong because of poor administration, and my client contact sleeps better at night.

Fortinet is sort of middle-of-the-road as a solution. It has a relative simplicity in setup and management, it has a lower price and provides capable security. Fortinet FortiGate still gets some of my respect as a viable alternative to Palo Alto.
     

Comparing the Complexity of Setup

Firepower is the most complex to set up. The second most complex is Palo Alto. The third is Fortinet. The fourth is Meraki as the simplest.

Rating the Products

On a scale from one to ten with ten being the best, I would rate each of these products like this:

  • Meraki is a one out of ten (if I could give it a zero or negative number I would).
  • Fortinet is seven out of ten because it is simple but not so secure.
  • Firepower is seven out of ten because it is more secure, but not so simple.
  • Palo Alto is a ten out of ten because the security side of it is fantastic, and the gui is not a nightmare.

An Aside About Cisco Products 

It is interesting to note that the two offerings by Cisco are on completely opposite ends of the spectrum when it comes to the learning curve. Firepower is on one end of the spectrum as the most difficult to configure and having the worst learning curve, and Meraki is on the other as the easiest to configure and learn. Both are owned by Cisco but Cisco did not actually develop either of product. They got them both by acquisition.

View full review »
AM
Information Security Specialist at UAEU

We are basically using a double protection layer in which we take care of all our DMV, VPN, tunnels, and internal network. We are basically using it for application based configuration  controlling our traffic on applications with layers four to seven. We are customers of Palo Alto and I'm an information security specialist. 

View full review »
Sr. Solution Architect at a tech vendor with 501-1,000 employees

While we mainly deal with on-premises deployment models, occasionally we also do hybrid deployments.

We're not a customer. We're a systems integrator. We're a reseller. We sell solutions to our clients.

Palo Alto is very good at policymaking. It's like they have a single policy that you can use. Other solutions don't have single policy use, which means you have to configure everything. There may be many consoles or many tasks that you'll have to worry about other solutions. Multiple task configuration should not be there, and yet, for many companies, it is. This isn't the case with Palo Alto. Palo Alto is easy compared to Fortinet. 

It's overall a very solid solution. I would rate it nine out of ten.

View full review »
KH
Assistant Manager at Net One Systems

Our primary use case was to configure our PSAs for our customized configuration

View full review »
System Engineer at IRIS

This is a stable firewall and you don't have a lot of surprises. The performance, throughput, and decryption are all good. It is important to remember that at the end of the day, it depends on the configuration.

For special functionality, you are going to have some exceptions. However, for the well-known functionality, it is stable.

View full review »
Network Security Engineer at a tech services company with 11-50 employees

The initial setup is a very smooth process integrated with initial configuration. It's very easy. 

View full review »
System Administrator at a mining and metals company with 51-200 employees

I was using Check Point before Palo Alto. I am very disappointed with Check Point because I had to reboot power three to five times a week. Palo Alto Networks NG Firewall is comparatively very easy to manage and use. It has better logic for configuration than other firewalls.

View full review »
SZ
Team Lead Network Infrastructure at a tech services company with 1-10 employees

It's a next-generation firewall and it's pretty stable. You don't have to worry about if you restart it for some maintenance. It will just come back. Basically, it would come back in a straightforward manner. There are no stability issues.

The one thing that I like about Palo Alto is it's throughput is pretty straightforward. It supports bandwidth and offers throughput for the firewall.  The throughput basically decreases.

Palo Alto actually provides two throughput values. One is for firewall throughput and other is with all features. Whether you use one or all features, its throughput will be the same.

It's performance is better than other firewalls. That is due to the fact that it is based on SPD architecture, not FX. It basically provides you with the SB3 technology, a single path parallel processing. What other brands do is they have multiple engines, like an application engine and IPS engine and other even outside management engines. This isn't like that.

With other solutions, the traffic basically passes from those firewalls one after the other engine. In Palo Alto networks, the traffic basically passes simultaneously on all the engines. It basically improves the throughput and performance of the firewall. There's no reconfiguration required.

View full review »
Marine Consultant/Captain/Senior DPO at Jan Arild Hammer

Its price can be better. They should also provide some more examples of configurations online.

View full review »
Network Engineer at a tech services company with 201-500 employees

I like the architecture because it separates the management plan process and the data plan process. When I perform something CPU-intensive on management configurations, it doesn't disturb the data plan.

On the data plan, it uses parallel processing. This makes the security process and network process is more efficient.

View full review »
Network Engineer at Vibs

Implementing this product can be a little bit difficult. The configuration is difficult compared to other products, so it would be nice if there were videos are other instructions available. It can be very time consuming for the network administrator.

View full review »
TM
Sr. Engineer at a comms service provider with 51-200 employees

We set up this solution for companies of all sizes, from small to large enterprises. One of our clients is a telecom, which is quite sizable. They have the most complex configuration. The solution, however, is able to work for any company, no matter what the size. In that sense, it's a scalable option.

That said, the NG firewall is not a typical product that we can scale up on a whim. If we want to scale up in this product, we need to buy a higher series. We have to replace it. If we want to scale out this product, we can do a roll out in another location. Therefore, you can expand it out, however, you do need to change the sizing, which means getting a size or two up.

View full review »
AH
Network Security Engineer at a tech services company with 1,001-5,000 employees

I think automation and machine learning can be improved to make bulk configurations simpler, easier, and faster. Scalability can also be better.

View full review »
VK
Information Technology Project Manager at JSC "Penkiu kontinentu komunikaciju centras"

The configuration is very simple. 

View full review »
JC
Network Manager at a financial services firm with 1,001-5,000 employees

The ease of use and the ease of configuration of our policies are the most valuable features.

View full review »
MV
Network Administrator at a healthcare company with 201-500 employees

It's been 10 years and I don't remember any outages because of a hardware failure or a logical error in configuration. We had problems with servers or switches initially but it works like a charm now. 

View full review »
Technology consultant at a tech services company with 501-1,000 employees

The initial setup is pretty straightforward. We just had to do the initial configuration of hardware, deploy our Panorama VM and integrate with hardware firewall, and it is pretty simple. It's also quite self-explanatory. 

View full review »
SG
Network Administrator at a real estate/law firm with 201-500 employees

The SD-WAN product is fairly new. They could probably improve that in terms of customizing it and making the configuration a little bit easier.

View full review »
RC
Security Team Technical Manager at ECCOM Network System Co., Ltd.
  • Application identification
  • Antivirus
  • Vulnerability protection
  • URL filtering
  • SSL VPN
  • IPsec VPN

Palo Alto NGFW provides a unified platform that natively integrates all security capabilities. Most of our customers are busy. They cannot afford the time to learn very complicated user interfaces and configuration procedures. With Palo Alto Networks, they offered a unified user interface for all its NG Firewall products and Panorama. I think it reduces some of our customers' maintenance time. 

Palo Alto NGFW’s unified platform has helped our customers eliminate security holes. With a unified platform, customers can deploy the NG Firewall both in the data center edge, inside the data center, and in the product/public cloud environments. They have the same user interfaces and platform, so they can be maintained by a single unified platform called Panorama. Customers can use Palo Alto Network NG Firewalls in all the places where they need to protect their environments. This helps to decrease security holes.

View full review »
TG
Senior Network Engineer at a tech services company with 201-500 employees

With Palo Alto NG Firewalls, we can pass all compliance requirements. We trust it and we are building the security of our environment based on it. We feel that we are secure in our network.

It also provides a unified platform that natively integrates all security capabilities. It's very important because it gives us one solution that covers all aspects of security. The unified platform helps to eliminate security holes by enabling detection. It helps us to manage edge access to our network from outside sources on the internet and we can do so per application. It also provides URL filtering. The unified platform has helped to eliminate multiple network security tools and the effort needed to get them to work together with each other. In one appliance it combines URL filtering, intrusion prevention and detection, general firewall rules, and reporting. It combines all of those tools in one appliance. As a result, our network operations are better because we have a single point of view for our firewall and all related security issues. It's definitely a benefit that we don't need different appliances, different interfaces, and different configurations. Everything is managed from one place.

View full review »
OM
Chief Architect at a recruiting/HR firm with 1,001-5,000 employees

Historically, DNS would have been from local providers. Now, having a centralized DNS allows us to make sure there are no issues of DNS cache poisoning and DNS exfiltration. 

The solution has definitely helped us with the security holes around visibility and uniform policy deployments across the estate. Unified, centralized configuration management definitely helps us reduce the risk by having a central place where we can create a policy, and it is deployed everywhere, without the risk of human mistakes creeping in, e.g., typo mistakes creeping into configurations.

View full review »
Director Of Technology at La Jolla Country Day School

I have been looking at different firewalls because our service and maintenance contracts are up on it. We have two different outsourced folks who look at the firewall and help us do any configurations. My staff and I lack the knowledge to operate it. For any change that we need to make, we have to call these other folks, and that is just not sustainable.

We are moving away from this solution because of the pricing and costs. Everything costs a lot. We are moving to Meraki MS250s because of their simplicity. They match the industry better. I have called the bigger companies, and Meraki matches the size, then the type of institution that we are.

If someone was looking for the cheapest and fastest firewall product, I would suggest looking at the Meraki products in the educational space. I think that is a better fit.

View full review »
Security Engineer at Hitachi Systems, Ltd.

The initial deployment is straightforward; very simple. The primary access for these firewalls is quite simple. We can directly access them, after a few basic steps, and start the configuration. Even the hardware registration process and licensing are quite simple.

The time it takes to deploy a firewall depends upon hardware and upon the customer's environment. But a basic to intermediate deployment takes two to three months.

View full review »
Cisco IOS Security: Configuration
ME
Technical Lead at a tech services company with 10,001+ employees

I was not part of the installation process. That was handled by another team entirely. That said, they didn't take a lot of time to get everything up and running. It was, if I recall correctly, less than one week to put it up and test it and make all the configuration adjustments. Deployment was fast and it's my understanding that the whole process from beginning to end was straightforward.

We only needed two people and they were able to handle both deployment and maintenance. They are engineers.

View full review »
MN
Owner at it logic

The configuration should be easier in the solution.

View full review »
Fortinet FortiOS: Configuration
CC
Technical Head at a tech services company with 51-200 employees

The VDOM (Virtual DOM) is a virtualized firewall that has some opportunities for flexibility that are an advantage in certain configurations. The other valuable part is that this flexibility makes it easy to integrate with Cisco products.  

View full review »
PR
System Administrator at RBDigital

I work on the configuration and not really involved in the pricing. It was already in place when the company decided to switch back to Fortinet. 

I concentrate more on security.

View full review »
Chief Technology Officer at Future Point Technologies

We have had some performance issues, but that seems to be improving. I'd like to see better integrations and more flexibility for different scenario configurations. In comparison to Cisco, the CLI is quite difficult to use. Finally, I believe that the reporting could be enhanced to provide better visibility into the traffic. 

As an additional feature, Fortinet could have XDR embedded into it which would mean more visibility from the reporting side because right now we have to separately install FortiManager and FortiAnalyzer for driver analysis.

View full review »
AK
Senior Manager (Engineering Department) at a comms service provider with 10,001+ employees

We use FortiOS for the internet router and firewall for our customers' offices. In some of the smaller offices, there is only one FortiGate, but the hub site may have a pair of firewalls in an HA configuration.

View full review »
Sangfor NGAF: Configuration
CM
Product Manger

While the features are not dissimilar to other brands, configuration is much more simple, which works out great for Indonesian people. 

View full review »
Huawei NGFW: Configuration
Security Engineer at Multinet Pakistan Pvt.

Normally, the initial setup is straightforward. The length of time for deployment depends on the client, their environment, and the requirements. For a basic configuration, we can normally deploy within three to five working days. Sometimes, it will take longer because of the requirements, but the basic configuration should not be any longer.

View full review »
RA
Section Head Project Planning and Management. /Lead Network and Security Engineer at a government with 1,001-5,000 employees

The support could be improved. As we've gone along, we've realized the support is not effective due to the contracts we have. They need to offer more support upfront, no matter what contract you have.

The solution requires a more interactive dashboard. That would make it easier than playing with configurations the way we have to now.

It would be better if upgrading the solution was easier.

The solution needs four-way deployments and dashboard confirmation.

The product should be able to integrate with products like Ansible.

View full review »
YZ
Senior Software Manager at a engineering company with 51-200 employees

The initial setup is okay because you basically have to follow the user interface and configuration. Setup is quite easy to follow as long as you have all these network consents and firewall knowledge, you can do it easily.

View full review »
Forcepoint Next Generation Firewall: Configuration
AN
Head of Infrastructure & Cloud Section at a computer software company with 1,001-5,000 employees

I might have contacted them for some questions related to managing instances. We sometimes had problems with registering or activating licenses on the manufacturer portal. I haven't opened any ticket personally. My colleagues have contacted them for technical support, that is, for problems that go beyond the basics of the Forcepoint configuration, such as for replacing some faulty components. Their experience was good in general.

View full review »
MH
Managing Director at FORESEC

It is stable and scalable. In addition, their support is great. When you ask them for something, they provide support, and if required, they also involve the R&D team to help you to resolve the issues in your configuration.

View full review »
TA
Systems Engineer at a tech services company with 11-50 employees

The initial setup is of medium complexity. It is neither straightforward nor complex. If you want to implement a new firewall, you need to connect it to something called SMC or security management center, which is the main thing. It is the brain of the firewall, and without that, you cannot manage the firewalls. There are certain steps that need to be done on the SMC to do the configuration of the firewall. 

View full review »
SZ
Team Lead Network Infrastructure at a tech services company with 1-10 employees

Forcepoint is a little difficult to configure compared to its competitors. 

The product could be more user friendly. Firewalls are getting better in graphical user interfaces. If there is an issue with the appliances then the engineering team can work on the command line controls. A cheaper way is a graphical user interface for any users to be able to quickly configuration and implement.

View full review »
DM
Associate Consultant at SoftwareONE

The solution is mostly stable. We've just had a little configuration issue around the access and net policy. However, beyond that, it's been pretty reliable.

View full review »
Senior Solutions Architect at Infort

The initial configuration is straightforward, and we can use it with the cloud. But sometimes, there are network issues we can't see when we're using the ethernet cable. I think you need an engineer with some experience before implementing the first implementation by yourself.

The time it takes to deploy this solution depends on the features I have to implement or configure. Normally, it takes five or six working days, but it might take another week if I have issues with the VPN or user IDs.

View full review »
Azure Firewall: Configuration
JJ
Group Cloud Competency Center Manager at a transportation company with 10,001+ employees

Its initial setup was pretty straightforward. With its native portal and User Guide, you can very quickly do the implementation. Its UI is very user-friendly. 

We made it an enterprise shared service for our use case. We studied and designed the cloud-native Azure Firewall service from scratch and packaged it as a standard service in our environment. We wanted to maintain the Azure service like the DNAT network rule and application rule. We wanted it to be always manageable in its lifecycle. So, we chose the infrastructure mode to manage our service. We have a delivery pipeline, and we also use the DevOps mode to maintain the Azure Firewall configuration in its lifecycle. For this part, the API is good, and the native Terraform and Ansible have relevant predefined modules. It is working fine. So, for this part, it is very good. It doesn't matter whether you are a junior technical guy or an advanced technical guy. You can always find a comfortable way to deploy, manage, and maintain it.

Its deployment is very quick. It takes a few minutes. In order to make it the deployer pipeline, you need to spend some time because you need to think about the integration, such as how to integrate with GitLab CI, and how to make Azure Workbook so that it can monitor the usage and user performance. We wanted it as a managed service. So, the duration also depends on your use case.

View full review »
Network Security Engineer at Diyar United Company

Compared to other firewall products, the setup is complex. I have faced problems setting up the DNAT, and there are some issues with setting up the certificates. I have also had trouble with service tag issues.

The basic deployment takes one day or two days at the maximum. The fine-tuning, where we have to monitor and identify the proper traffic, takes place over two or three weeks. Fine-tuning is an extensive part of it. It is important that the configuration is set up correctly.

View full review »
DL
Network Engineer at a leisure / travel company with 10,001+ employees

In terms of what could be improved, it lacks a couple of features which are available in the other marketplace products, but it is stable and it performs most of the basic functions that are expected from a normal firewall.

When we deployed we did not have a centralized management of multiple firewalls. Right now, with Azure Firewall, we cannot have a normal inbound traffic flow. For inbound, Microsoft suggests using application gateways, so the options are very limited. I cannot use this firewall as an intermediate firewall because of the limitations, and I cannot point routing to another firewall. So if I want to use back-to-back firewall architecture in my environment, I cannot use Azure Firewall for that type of configuration either. 

Other features I would like to see are intrusion prevention, URL filtering, category-based URL filtering and other advanced features.

Overall, the configuration can definitely be improved.

In terms of the overall product architecture, if the management and the architecture of the product could support back-to-back firewall architectures so that I could use Azure Firewall in combination with another firewall, that would be one point which would help this product be used more and in a better way.

Again, if the Azure Firewall could be accommodated as a back-to-back firewall, meaning if it could work as a firewall which handles the inbound traffic from the internet, which is an NVA, or a network virtual appliance, and we could reroute the traffic to Azure Firewall, that would be good. But as of now, there is no routing options in Azure Firewall.

View full review »
Senior Azure Solution Architect at a tech company with 10,001+ employees

There are a lot of competitors to Azure Firewall. Microsoft figured it out, that they needed a firewall for their Azure platform that can integrate with their services. That's why they came up with Azure Firewall. It really has a pretty nice integration with Azure services. 

In terms of the reporting, it's beautiful. It integrates with Azure monitoring and with Azure policies. That piece is a big help. You can set governing policies and you can use the application firewall, as well as the Azure Firewall, to enforce those policies. If you use the Azure platform, it is the best choice. And they're working on integrating it with many more Azure resources.

The configuration is much easier because Microsoft already provides you with a tool that belongs to Azure. You can set one rule instead of setting 100 rules. That makes the administration of Azure Firewall much easier. For example, when it comes to DNS tags, services tags, and URL tags, you don't have to go URL-by-URL and tell it to open this or that port.

In addition, it's a SaaS service. You don't have to worry about managing a virtual machine and things like patching and upgrading.

View full review »
DJ
Cloud Architect at a financial services firm with 1,001-5,000 employees

You have to have a defined IP range within your network to associate it with your network. The problem is you have to plan ahead of time if you expect to use the firewall in the future so that you don't have to reconfigure your subnets or that specific IP range. Other than that, I don't any issues. I use it for basic configuration for a single application, so I really don't try to leverage it for multiple applications where I might find some complexity or challenges.

View full review »
Zscaler Cloud Firewall: Configuration
Director at Aquila ICT Solutions

The solution has great features like configuration. It would be difficult to improve or simplify what Zscaler does. Once you have Zscaler running you have access to configure it however you want.

View full review »
Palo Alto Networks K2-Series: Configuration
Network Security & Virtualization at a financial services firm with 1,001-5,000 employees

We are talking about a firewall and we are not talking about a simple machine. We are talking about a machine that is not something you can just make simple. We are not talking about a general machine, so it does not really have general features. It does have multiple features. It does have processing engines — the parallel processing of Palo Alto — which is great. The stability will depend on the configuration and use. You really only have two options. You can either go for Palo Alto, or with Fortinet. These are the leaders of network security right now, so I guess those are stable or they would not be popular.  

View full review »
PF
IT Specialist at a transportation company with 10,001+ employees

The stability of the solution is rather excellent. It is really stable unless somebody messes up a configuration. We didn't face any bugs or crashes or have any issues with glitches.

View full review »
MR
System Engineer at a tech services company with 501-1,000 employees

Palo Alto has an approach that makes the configuration easier not only for the customers but also for the IT help for the customers. 

View full review »
AS
CSD Manager at BTC

The ease of management and configuration should be improved.

The price of the K2 series could be lower.

View full review »
Juniper vSRX: Configuration
JJ
Expert - architect of ICT systems at a tech services company with 501-1,000 employees

The solution as a whole is good, but it requires knowledge to use it properly. We know this solution well; we know all of its configurations and little secrets that inexperienced users may not be aware of. It's a very powerful solution and the firewalls function with high performance. The configuration is also great.

View full review »
JJ
Expert - architect of ICT systems at a tech services company with 501-1,000 employees

It is deployed on the customer site, and we manage the firewalls on this side. It's a very useful solution. It is used on-premise at the customer site. It is useful for management, and the configuration is rather easy, as well.

View full review »
GajShield Next Generation Firewall: Configuration
Director at FORTIFY TECH SOLUTIONS LLP

The firewall configuration and administration screens could use some improvement. 

I think the UI screen has to be a lot simpler and smarter for firewall administration. They should also build a smarter alert mechanism in case of any unauthorized access. Basic alerts are there, but I think they could be better. First and foremost is the UI configuration screen. Some screens are good, and some screens are not that good. The UI for the administration of the firewall needs a lot of work.

View full review »
SonicWall NSSP: Configuration
AD
Executive Vice President at a tech services company with 51-200 employees

It has been delivering results efficiently. Its configurations and updates have been easy. It is also user-friendly.

View full review »
SonicWall NSV: Configuration
NP
Network & System Support Engineer at a tech services company with 11-50 employees

The hardware box renewal appliances GUI became extremely slow after the release of SonicOS 7.

When I compare SonicWall to its competitors, I notice that there are some functions that I cannot perform with the SonicWall appliance. For example, when I assign a user base bandwidth management, I enable the ULA (User Level Authentication), but I need a different solution and must enable browser-based authentication.

SonicWall requires certain features such as the authentication agent and user-based routing.

There are limitations to bandwidth management. When used in the education sector, there are some difficulties. They require bandwidth management, an authentication agent, and SSL VPNs.

Google Chrome is not supported, which is why the ULA occasionally fails to function. The authentication page does not appear.

The earlier model is TZ SOHO, they now have a startup with TZ270. We have some offices that have 10 users, as well as a limited amount of users that require a small device such as TZ SOHO, and not the TZ270. 

We are having some difficulties with the SOHO 250 model, regarding the throughput, but when I use the TZ270 it works well. I decided to replace it with TZ270.

When I enable the ULA, the Sophos core usage increases dramatically. Everything works fine when I use the IP-based policy. In general, when it comes to IP-based configuration, everything is fine; everything works great.

In terms of user-based policies and Gen 7, we have several problems with the ULA, and the page does not appear. We are unable to log in when the page does not appear, even when we have entered the correct credentials.

SonicWall, as well as other competitors, have SD-WAN, however, SonicWall features are different. The web filter component, the application component, and the firewall access rules, for example, are all different in the SonicWall Appliance.

When creating firewall access rules in Sophos and Fortinet, I just define the source, destination, and user, as well as a web filter, an application filter, and user bandwidth management on a single line. I only follow one rule and have never had a problem.

Everything is contained in a single rule only when I create it. I can assign web filter policies, application filter policies, and I can apply all security services in a single rule.

View full review »
Check Point CloudGuard Network Security: Configuration
Senior Network/Security Engineer at Skywind Group

We have had several support cases opened. Some of the issues were resolved by installing the latest recommended JumoHotfix, whereas some required additional configuration on the OS kernel level.

The longest issue took about one month to be resolved, which we consider too long.

View full review »
Cyber Security Manager at H2O Power

The biggest room for improvement is that, for a long time now, they've moved everything over to R80 but they still maintain some of the stuff in the old dashboard. They need to "buy in" and move everything to the modern dashboard so that you don't have to go to one place and to another place, at times, to configure the environment. It's time they just finish what they started and put everything in the new, modern dashboard. I thought they would have done that by now. It has been years. It's always a little disappointing when you get a new version and you see that it's still using the old dashboard for some of the configuration and some of the stuff that you look at.

They just need to make sure they get all their tools into this one place. It would make it a lot easier for the managers.

View full review »
MG
IT Security Manager at a retailer with 10,001+ employees

The features of the solution which I have found most valuable are its flexibility and agility. It's a fully scalable solution, from our perspective. We can define scaling groups and, based on the load, it will create new instances. It's truly a product which is oriented toward the cloud mindset, cloud agility, and this is a great feature.

Check Point is a known leader in the area of block rate, so I don't have any complaints about it. It's working as expected. And similarly for malware prevention. When it comes to exploit resistance rate, it's excellent. I haven't seen any Zero-day vulnerabilities found in Check Point products in a very long time, which is not the case with other vendors.

The false positive rate is at an acceptable level. No one would expect a solution to be 100 percent free of false positives. It's obvious that we need to do some manual tuning. But for our specific environment and for our specific traffic, we don't see a lot of false positives.

Overall, the comprehensiveness of the solution's threat prevention security is great. It was changed in our "80." version and I know that Check Point put a lot of effort into threat prevention specifically, as a suite of products. They are trying to make it as simple as it can be. I have been working with Check Point for a long time, and in the past it was much more complicated for an average user, without advanced knowledge. Today it's more and more user-friendly. Check Point itself has started to offer managed services for transformation configuration. So if you don't have enough knowledge to do it yourself, you can rely on Check Point. It's a really great service.

Check Point recently released a feature which recognizes that many companies are going with the MITRE ATT&CK model of incident handling, and it has started to tailor its services to provide incident-related information in that format. It is easier for cyber security defense teams to analyze security incidents, based on the information that Check Point provides. It's great that this vendor looks for feedback from the industry and tries to make the lives of security professionals easier.

I highly rate the security that we are getting from the product, because the security research team is great. We all know that they proactively analyze numerous products available on the IT market, like applications and web platforms, and they find numerous vulnerabilities. And from a reactive point of view, as soon as a vulnerability is discovered, we see a very fast response time from Check Point and the relevant protection is usually released within a day, and sometimes even within a few hours. So the security is great.

View full review »
Senior Network/Security Engineer at Skywind Group

As an administrator, I can say that among all of the Check Point products I have been working with so far, the Virtual Systems solution is one of the most difficult. You need to understand a lot of the underlying concepts to configure it, like the virtual switches and routers it uses underneath. That leads to additional time needed for the initial configuration if you don't have previous experience.

In addition, there is a list of limitations connected specifically with the virtual systems, like the inability to work with the VTI interfaces in a VPN blade, or an unsupported DLP software blade.

View full review »
OP
Electronic Engineer at a tech vendor with 11-50 employees

The solution, overall, has worked very well for our organization.

The reliability of the product is excellent.

The configuration capabilities are very good.

The initial setup is pretty easy.

View full review »
SF
Security Platform Administrator at a tech services company with 501-1,000 employees

Check Point CloudGuard Network Security has established communications with other devices and other cloud providers. CloudGuard has improved the passage of CIS and PCI regulations. The functions for autoscaling save costs for the company and the centralized management helps us with administration. CloudGuard complements the security model of the company. We only need one solution for all cloud providers as it offers good compatibility with lots of protection. the easy funtion of use the licence core in other gateways helmpe to save cost. And the easy VPN configuration helpme to stablish more than 100 VPN in an shortly time.

View full review »