sub $500-750 CPE firewall for voip-centric application

Thu May 5 19:09:43 UTC 2016

I'm a huge fan of Juniper's SRX line. I use all the features you point out
at home on my SRX210, although that product is end-of-life. A refurbished
SRX220 lists on Amazon for about $375, and a new one for $700. Naturally
support is extra, but I'm not sure how much.

I haven't used it myself but I have seen the packet capture in action.
It'll save any traffic you want right out to a pcap file too. I also like
"show security flow session" - shows you the source, destination, ports,
how long a session has been going, and number of packets and number of
bytes transferred.

Matt Freitag
Network Engineer I
Information Technology
Michigan Technological University
(906) 487-3696
http://www.mtu.edu/
http://www.it.mtu.edu/

-----Original Message-----
From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Nick Ellermann
Sent: Thursday, May 5, 2016 2:51 PM
To: Mel Beckman <mel at beckman.org>
Cc: nanog at nanog.org
Subject: RE: sub $500-750 CPE firewall for voip-centric application

Your exactly right, Mel. Dell has really turned the Sonicwall platform
around in the past few year. We dropped it a year or two before Dell took
them over. Back then Sonicwall was full of issues and lacked important
features that our enterprise customers required. If you have budget, Palo
Alto is something to look at as well, but don't overlook Sonicwall and
FortiGate.

Sincerely,
Nick Ellermann - CTO & VP Cloud Services BroadAspect

E: nellermann at broadaspect.com
P: 703-297-4639
F: 703-996-4443

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-----Original Message-----
From: Mel Beckman [mailto:mel at beckman.org]
Sent: Thursday, May 05, 2016 2:49 PM
To: Nick Ellermann <nellermann at broadaspect.com>
Cc: Ken Chase <math at sizone.org>; nanog at nanog.org
Subject: Re: sub $500-750 CPE firewall for voip-centric application

I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto
firewalls.  The best SMB devices are definitely SonicWall and Fortigate.
SonicWalls are easier to configure, but have fewer features. Fortigate has
many knobs and dials and a very powerful virtual router facility that can
do amazing things. The two vendors have equivalent support in my opinion,
although Fortigate tends to be more personal (Dell is big and you get
random techs).

Cisco ASA is overpriced and under-featured. Cisco-only shops like them,
but mostly I think because they're Cisco-only. PaloAlto is expensive for
what you get. Functionally they are on the same level as Fortigate, with a
slightly more elegant GUI. But Fortigate can be configured via a USB
cable, which is a huge advantage in the field. Legacy RS-232 serial ports
are error-prone and slow.

 -mel

> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellermann at broadaspect.com>
wrote:
>
> We have a lot of luck for smaller VOIP customers having all of their
services run through a FortiGate 60D, or higher models. 60D is our go to
solution for small enterprise. However, if we are the network carrier for
a particular customer and they have a voip deployment of more than about
15 phones, then we deploy a dedicated voice edge gateway, which is more
about voice support and handset management than anything.  You do need to
disable a couple of things on the FortiGate such as SIP Session Helper and
ALG.  We never have voice termination, origination or call quality issues
because of the firewall.
> FortiGate has a lot of advanced features as well as fine tuning and
adjustment capabilities for the network engineering type and is still easy
enough for our entry level techs to support. Most of our customers have
heavy VPN requirements and FortiGates have great IPsec performance.  We
leverage a lot of the network security features and have built a
successful managed firewall service with good monitoring and analytics
using a third-party monitoring platform and Fortinet's FortiAnaylzer
platform.
>
> Worth looking at, if you haven't already. If you want to private message
me, happy to give more info.
>
>
> Sincerely,
> Nick Ellermann - CTO & VP Cloud Services BroadAspect
>
> E: nellermann at broadaspect.com
> P: 703-297-4639
> F: 703-996-4443
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
>
>
> -----Original Message-----
> From: NANOG [mailto:nanog-bounces at nanog.org] On Behalf Of Ken Chase
> Sent: Thursday, May 05, 2016 1:54 PM
> To: nanog at nanog.org
> Subject: sub $500-750 CPE firewall for voip-centric application
>
> Looking around at different SMB firewalls to standardize on so we can
start training up our level 2/3 techs instead of dealing with a mess of
different vendors at cust premises.
>
> I've run into a few firewalls that were not sip or 323 friendly however,
wondering what your experiences are. Need something cheap enough
(certainly <$1k, <$500-750 better) that we are comfortable telling
endpoints to toss current gear/buy additional gear.
>
> Basic firewalling of course is covered, but also need port range
forwarding (not available until later ASA versions for eg was an issue),
QoS (port/flow based as well as possibly actually talking some real QoS
protocols) and VPN capabilities (not sure if many do without #seats
licensing schemes which get irritating to clients).
>
> We'd like a bit of diagnostic capability (say tcpdump or the like, via
> shell
> preferred) - I realize a PFsense unit would be great, but might not
> have enough brand name recognition to make the master client happy
> plopping down as a CPE at end client sites. (I know, "there's only one
> brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get
> irritating for end customers.)
>
> /kc
> --
> Ken Chase - Guelph Canada