Topic: Sonicwall Alternatives

[MacGyver]

All of our client locations are on our WAN, and are all attached via Sonicwall secure VPN tunnels.  Therefore if I were to ping a 192.168.1.x address, the packet would route down the tunnel to Sierra-Tango.  If I were to ping a 192.168.2.x address the packet would route to Delta-Mike, etc.  Additionally if I was out of the office, but needed to access a location, I could take my laptop from anywhere and pull up the GVPN Client and attach to any location from outside the office.

It's worked well for 15 years, but ever since Sonicwall was bought by Dell it's gone to Hell.  In the past if you were a real customer with multiple locations, you would open the ticket with Peggy over in India, get a ticket number, then say, "I've got another call, I'll call you back."  Then hang up, call your Channel Account Manager at Sonicwall, give them the ticket number and they'd get you escalated to a real tech at Level III support in Arizona. 

As a result we're looking to make a transition.  It will probably require changing every location across the WAN which is why we have avoided it, but it's time to look for something better.

If you have suggestions for a new security appliance line I'd like to hear them.

We need the ability to have the devices attach by permanent VPN tunnels, and a HUGE issue for most clients is the ability to block web domains by name, as well as be able to block every web location by default and then only open the ones that are allowed.  Gateway Antivirus, Content Filtering, & Intrusion Prevention subscriptions are also desired.

Thanks.

[tonyburkhart]

We are a SonicWALL shop too and haven't experienced this, but I totally understand your position. Do you use a VPN concentrator and their built in Content/URL filtering?

I think you'd like this: check out Cyberoam http://www.cyberoam.com

[MacGyver]

Do you use a VPN concentrator and their built in Content/URL filtering?

I think you'd like this: check out Cyberoam http://www.cyberoam.com

Interesting.  I haven't seen their hardware before.  They look more like a managed switch than a gateway firewall.

Yes we're using their Comprehensive Gateway Security Suite at every client location as well as all of ours.  In addition to that, we use the CFS to allow whitelists and blacklists of domains.  Although on one of the last EOL upgrades the rep didn't know his product and upgraded several of our locations from a device that had an option to blanket ban all domains to devices which had no such option at the time.

I think we're about to put the new webserver behind a Cisco PIX.  We'll see how that plays.

[MacGyver]

Hey Tony are you running their Gateway Antivirus?

If so I might ask you to see if you can get to a website for me.

[NFCphoneman]

Well, this is not what I want to hear...   I just ordered 5 new Sonicwall's this week for a multi-site project.

Personally, I like PFSense, which is an open-source product.  Probably not what you're looking for though.

[MacGyver]

It's not that they're bad Larry, but I will tell you that having used them extensively over the past 15 years, if we can't resolve the problem then we stand little if any chance of getting the issue resolved via their tech support.  Even in the days when Level III support was in Arizona, we had tickets set open for 3+ months and then we'd finally resolve it in house.  The issue is that when we hit a block, it normally requires escalation to R&D which is just next to impossible to get done.  Now that it's Dell it's probably non-existent.

On the plus side, most people will never hit the kind of snags we would hit.

I'm just sick of dealing with Peggy over in India who handles the calls when she isn't answering the phone for Discover Card.

[MacGyver]

Ok Tony I don't know if you've played with the Cyberoam, but they have a simulated firewall on their site where you can log in to configure it, and I've gotta say it kinda rocks. 

[Marc Haycook]

Cisco ASA. They are great, but unfortunately they EOL'ed the ASA 5505 - which was the smallest unit and around $400 for a base license. They still make the line, but the least expensive unit is around $1000. It's worth it in my opinion.

[NFCphoneman]

Unfortunately, a $1000 router is usually out of the budget for what we're doing. 

Stupid question...Do you still have to configure them via a CLI, or can you use a GUI for everything?

[tonyburkhart]

Hey Tony are you running their Gateway Antivirus?

If so I might ask you to see if you can get to a website for me.

Feel free to PM me or email me with details and I'll help how I can. My business partner is the SonicWALL guru in the shop, so I'll pass it all through him. I know he's had no problems (knock on wood) with support issues, but he's also pretty blunt with them :)

Yeah, from what I've heard the Cyberoam stuff is the bees knees

[MacGyver]

Stupid question...Do you still have to configure them via a CLI, or can you use a GUI for everything?

Larry were you referring to the Sonicwall or the Cisco?  The Sonicwall is all GUI, including a few menus they don't tell you exist.

I think we spec'd a Cisco at the datacenter to go in front of the new webservers, but I'll be looking much closer at that cyberoam for all the gateways across the WAN as we start looking at EOL on all these Sonicwalls.  Maybe it's just me, but it seems like EOL on these happens every time I turn around. 

Marc what is a standard/reasonable life on an a security appliance?

[MacGyver]

but he's also pretty blunt with them :)

Like threaten to execute a cow and serve steaks every hour until they resolve the ticket?

[NFCphoneman]

Stupid question...Do you still have to configure them via a CLI, or can you use a GUI for everything?

Larry were you referring to the Sonicwall or the Cisco?  The Sonicwall is all GUI, including a few menus they don't tell you exist.

Cisco.  I know the Sonicwalls are GUI, but not I'm not familiar with the hidden menus. 

We're running PFSense on a 1U Supermicro Server for our hosted equipment at the Colo.  It just works flawlessly.

[tonyburkhart]

but he's also pretty blunt with them :)

Like threaten to execute a cow and serve steaks every hour until they resolve the ticket?

not far off. let's say he doesn't have more than one follow up call, before the problem is resolved :)

[Kumba]

 Maybe it's just me, but it seems like EOL on these happens every time I turn around.

Just some capitalism at work. Why sell only software licenses with minimal response and updates when you can also force the sell of over-priced hardware with minmal upgrades too. It's a good business model although I don't care for planned obsolescence.

We've used Untangle at a few client locations with good luck. Uses standard commodity PC components which never EOL themselves and is built on top of known opensource software components like IPSEC and OpenVPN. It does all the content filtering and VPN interconnectivity you were talking about too. Also has subscription services for things like virus scanning and IDS/IPS, etc. Can operate as either a bridge/pass-through or a router/firewall. The good news is that it's underlying OS is Linux so if you ever want to get really serious with the network you can do that too. It's almost invaluable to be able to log into a Linux OS and see exactly what the heck is going on. tcpdump into a PCAP into Wireshark makes so many issues easy to track down. Not to mention you can do some real heavy lifting remotely with things like nmap, arping, etc.

PFSense is another good one like Larry pointed out. It's built on BSD but should give you the same power as Untangle does.

Also like Larry, SuperMicro is a good hardware choice for OpenSource. This would be a good router for your average SMB customer: http://www.supermicro.com/products/system/Mini-ITX/1017/SYS-1017A-MP.cfm

I used to work for a company where I would build Untangle boxes that doubled as a NAS using SuperMicro servers. They worked pretty good and it was a nice upsell/add-on to the client that they could get a firewall and NAS all in one.


My number 1 complaint about any firewall is that I can never see exactly what is going in/out the wire. It's always a guessing game and hoping the logs are useful. SonicWall also irreparably damages SIP in my experience. It just hacks it to pieces trying to "help it work" according to SonicWall support. So many sip issues went away by removing the expensive sonicwall and replacing it with a $50 router from office depot.