I'm interested in any recommendations/opinion - good or bad on brands of firewalls. We currently have a PIX 506e and seem to be running into some hardware limitations when using VPN according to Cisco. They are recommending upgrading to the 515. Our ISP is recommending the Watch Guard X700
Mike
In article , Mike Bailey wrote: :I'm interested in any recommendations/opinion - good or bad on brands of :firewalls. We currently have a PIX 506e and seem to be running into some :hardware limitations when using VPN according to Cisco. They are :recommending upgrading to the 515. Our ISP is recommending the Watch Guard :X700
Could you be more specific about the limitations you are encountering? And about the features you need?
It's hard to recommend a solution without knowing your needs. I've used both Pix and WatchGuard and find that CISCO is always a PITA when it comes to working with other vendors for tunnels.
If you need to setup PPTP to the firewall, WG makes it simple to setup users and then to restrict users to specific addresses (or full open). If you need branch-office ipsec dedicated tunnels, WG makes that simple too - you can have an IPSec tunnel setup to most vendors appliances in about 10 minutes once you've done it at least once. We have cheat-sheets you can email me for if you get a WG unit.
A retail unit should not cost more than about $1900 for the X700, but does not come with the web-blocker key for that price. I just ordered two more x700 for a client, they've been painless so far.
Our needs are pretty simple I guess. We are a small, one office company. We have a high speed DSL coming in. I also would like to be able to produce internal internet access reports which I know WatchGuard provides built in to a degree compared to the program by Stony Lake that I'm eval'ing right now for the PIX - cost $450. Originally our goal was to be able to run our accounting package trough a vpn. At the time we had an eSoft Instagate (instaHate as I call it) which had built in vpn, but was s-l-o-w when we tried using it. We were told by our isp that we could change the MTU, but found you can't do that with the Firewall-For-Dummies, so we purchased the PIX506e. Went through a month of tech support with Cisco and was never able to get it working "right". I finally gave up on the idea of running the accounting application and was going to just settle on being able to map to our user folders for file access. But, ran into speed problems there also. As a benchmark, I compared connecting to the server from home using Remote Desktop and browsing a folder that has hundreds of files and folders. From the time I clicked on the folder and it displayed the full contents was a count of 1 compared to a count of 15 doing the same thing trough VPN.
Mike
Try Checkpoint Firewall1, expensive but the best, even for smaller sites.
Wayne McGlinn Brisbane, Oz
Wayne schrieb im Artikel :
Why best? For which requirements? All? Hard to believe.
Cheers,
Chris.
In article , Mike Bailey wrote: :Mike Bailey wrote: :> We currently have a PIX 506e and seem to be running into some :> hardware limitations when using VPN according to Cisco. They are :> recommending upgrading to the 515.
:We have a high speed DSL coming in.
:Originally our goal was :to be able to run our accounting package trough a vpn. At the time we :had an eSoft Instagate (instaHate as I call it) which had built in vpn, :but was s-l-o-w when we tried using it. We were told by our isp that we :could change the MTU, but found you can't do that with the :Firewall-For-Dummies, so we purchased the PIX506e. Went through a month :of tech support with Cisco and was never able to get it working "right". : I finally gave up on the idea of running the accounting application :and was going to just settle on being able to map to our user folders :for file access. But, ran into speed problems there also.
Mike, unless you happened to omit mention of a need for a DMZ or for being able to relay traffic between two remote locations, or needing really huge numbers of simultaneous connections, then the
515/515E would not have any noticable advantage over the 506E in the circumstances you describe.If your high speed DSL is 8/8 ADSL (8 megabits/s in each direction) and you were running it flat out, then the PIX 506E could be running low on ommph if you were using 3DES, but that would be easily remedied by switching to AES-128.
The first thing I would check for in your situation is duplex problems.
The second thing I would check is the MTU and the sysopt connection tcpmss size; and right after that I would look at the flows you are permitting to be sure that everything is in place for Path MTU Discovery, after which it would be time for a quick check of the endpoints to see whether they have Path MTU Discovery turned on.
Likely the third thing I would check would be the log messages to see if there was anything interesting.
After that, I would do some ping and ttcp tests, to try to isolate whether the VPN itself is slow or whether the problems are end-to-end.
I suggest that this matter be followed up in comp.dcom.sys.cisco (newsgroups follow-ups already set.)
By covering just about everything mentioned here:
Wayne schrieb im Artikel :
Other firewalls do that, too. Pure application gateways better than packet filters. Why should Checkpoint be the best? Where is the proof for your statement?
I think it's carelss to recommend a firewall system without knowing about the requirements. An being protected from poeple who might exploit vulnerable systems is just one requirement of many.
Cheers,
Chris.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.