Which Branch Router or Firewall to Buy?

Going to perhaps make things worse with another vendor suggestion. Have a look at Mikrotik. I'm hearing they're picking up a lot of business lately due to very low cost and decent performance.

http://www.mikrotik.com/index.html

I've used IOS firewalls, ASAs and would prefer SRX.

The rest I can't comment as I haven't tried them yet.

Will - SRX would be what I would equate Stretch's JunOS entry to represent.

Stretch - I hear you re the advantages of an ISR with ZBFW but my experience with them is that:

a. they're a bear to setup - even with CCP b. the community knowledge of ZBFW doesn't compare vs. ASA (by an order of magnitude).

So, my answer is an ASA firewall for firewall (and VPN) features and a router (for routing) in front of it. If the requirements are very basic, one can "route" out the ASA firewall with a default gateway but don't rely on an ASA for any real routing (except perhaps some -very- basic EIGRP or OSPF).

Just my 2 cents....

The whole idea that even a small company would balk at $1500+ for a device with 3 years support is strange to me. First they get to write almost that entire amount off as a cost of business and they get to average that over the 3 years!!! Second $1500+ one time fee for gear that will last them 4-5+ years with little intervention also doesn't seem to be a bad investment. I am sure those small companies employee either a in house or external net/sys admin that will spend hours fixing users email/workstations and the cost of the router/managed internet is small compared to those expenses, and again the companies gets to write that off.

As far as the hardware goes I don't think you can go wrong with either Juniper/Cisco, If they paid me to support Adtran/Sonicwall I would recommend going to Juniper/Cisco :)

just me two cents.

Hey I have been in your hiring situation before. I tend to find that Juniper guys also know cisco but not the other way around.

I also find you have to pay more for juniper guys as they tend to have better all round skills.

In saying that when the SRX range came out we nearly ditched Juniper all togetehr as it was so buggy

I prefer Cisco ISR, even though I have limited Juniper experience and no Adtran experience I'm pretty confident saying they are the most versatile. ASA are alright, but limited. I'm also not a fan of anything that doesn't have a console port and a decent command line, so no Sonicwall. My employer sells quite a bit of WatchGuard, which fall in with Sonicwall to me.

As far as cost goes, maybe you should look into the 800 series ISRs. I grabbed some list pricing with 3 years 8x5xNBD SmartNET on each as a comparison and they seem pretty reasonable: ASA5505 (50 users) - ~$1150 881 ISR (Advanced IP Services) - ~$950 891 ISR (Advanced IP Services) - ~$1450

I run an 881 as my home router and have been pleased with it.

As for Marv's comment on ZBFW. If you don't stick to a convention the config can get out of control (true of many things), but I really like ZBFW. I once tried to configure it with CCP to see whether it would be an option for my less CLI minded coworkers; found it to be near unusable and the generated config was horribly unintuitive.

No love for Fortigates?

Solid performance, great webUI, CLI for speed and portability, content-filtering, great set of features overall.

I also really like how its SSL-VPN feature does not require any license to implement.

Hi!

You have forgotten a new player on this game, and from my point of view these are the weapons of choice now: The Palo Alto Networks PA200

You should give them a try.

It all comes to what customer needs. If we are talking about pure router functionality within corporate environments and customer is willing to pay: 1: choice – Cisco ISR (proven values and predictability) If not so much $: 2: choice – Juniper SRX (cheaper choice, unparalleled feature-set and versatility. Swiss knife – if we count int even UTM features [which might work better]).

Yes, you have to learn junos (as web-UI should be improved greatly - in terms of speed). My story with JunOS. I got a Project built with ~50+ devices (with almost no prior knowledge but 5+ years as a cisco guy). And within 2 months I felt so comfortable that was able to pass even junos certification. So claiming, that Junos is not IOS and we discount it as an option – in my opinion – unacceptable. You have Juniper DayOne books, KB, free web presentations for free. And can build fully functional simple lab with only one(!!!) srx.

We use SSG devices as well. Mostly due to the two reasons: - Even cheaper than SRX’es - ScreenOS driven, proven stability and security However, you have to remember that ScreenOS is yet another beast to learn if you want to get comfortable with it from CLI.

As for the Firewall of choice 1 – JuniperSRX – flexibility, stability, ease of use. [ UTM functionality / L7 fw… you have to look up close and carerfully what features to enable and how it will impact system performance]. [also as a downside - remote vpn possibilities. No native remote - ssl/ipsec. And for dyn-vpn you need licences] 2 – Cisco ASA – (place#2, because of the price). 3 – Fortigate- +++ UTM configuration possibilities and quite simple

-- To sum up. Juniper SRX is a perfect choice in small–to mid range enterprise. Versatility in both routing and firewalling are awesome. (just to have look carefully working with UTM functionality – it definitely requires more improvement) But in our environments now becoming almost first choice.

"SSG is legacy and its CLI, of you didn't mention it is the worst I ever encountered: you cannot delete any char you mistype"

Don't blame the SSG for your inability to configure your terminal to send ^H when you press the delete key. ScreenOS has many other command line quirks, but inability to delete ain't one of them :-)

That said, I wouldn't deploy any ScreenOS devices now because the legacy comment is absolutely correct. SRX is where it's at now.

Have a look at the Juniper SRX family. I'm seeing increased performance with substantially less spend than a Cisco isr2. I'm using them as a CPE: nat, bgp, bfd and some acls and it all works great. We had to buy the data license for the isr2 to get bfd, on the juniper much more is included.

I was Cisco only up to that point, and now, some modest amount of time later, I hate working on ios boxes. Even IOS XR seems primitive in comparison to me.

Good luck!

As regards your customers that balk at the price of security gear, they need to consider how much a breech would cost them before outright rejecting any particular solution.

Is there a specific reason Check Point was omitted from your list? I currently support Cisco, Check Point and Juniper firewall gear. Check Point is by far the most stable and flexible of the three. Granted, CP is costly to initially purchase and also for ongoing support, but wins hands down as a security solution in my experience. ScreenOS is a good choice for small shops with limited means and functions. It seems to fit best for the scenarios you describe and the resources you have at hand.

I lived IOS for 12 years prior to focusing on security for the past 6. IOS is fabulous for network switching/routing, not so great for dedicated security applications, particularly on edge devices. This discussion on Cisco vs Check Point may be of interest:

https://www.cpug.org/forums/r75-40-gaia/17876-difference-between-cisco-checkpoint-firewall.html

Kind regards, dbCooper

Does anyone take these seriously?

SMB Router ARC Winner

SMB Firewall ARC Winner

I was surprised to see SonicWall as the winner after reading your post about there not being a CLI --- maybe there is a hidden one in there somewhere :)

I definitely agree that limiting the spectrum of vendors and solutions offered tilts skill sets to the 'specialty' side of the scale.

While Juniper was cited as having some product disparity, Cisco products are certainly not devoid of similar grievances.

For example: The ASA (esp 5505) and ISR security modules have a lot of feature overlap including the CLI. Configurations from the command line can be MUCH different between the two because of the differing architectures. This sometimes leads to frustration and delays, analogous to how I feel working with the differences in terminals on BSD (Mac) and Fedora, for even the most menial tasks such as changing file permissions or mounting volumes.

As others have mentioned, the Juniper SRX line is really good. The few cons i don't like are:
- Huge configuration file, must always filter the output;
- Copy/Paste from notepad is not so swell as on Cisco IOS. In example, to create 1 destination NAT rule i must copy a single line into Cisco configuration while i must copy 4 of them into JunOS. If you need to insert many similar rules, it will be a burden;
- IPSec VPN debugging outputs could've been better. It's worse than to read some dry RFC.

And they are not that buggy anymore, can live with JunOS10.4++ :)

+1 for Palo Alto Networks.

Competitive pricing, myriad of features, and a very intuitive GUI in addition to structured, JUNOS-like CLI.

I've had great luck with using ADTRAN devices for routers and firewalls. They are extremely versatile devices. The pricing makes them much more attractive than Cisco. They also support their devices with updates without the need of a Smartnet like support contract. I've sent many questions directly to their engineering and support via email and have always got a response in hours.

Stretch definitely brings up a good point that if you're used to Cisco there will be some differences that you'll need to learn. Their IAD products are reliable and cheap compared to Cisco.

Their multilayer switches are different from Ciscos they do not support addresses on physical interfaces. I prefer to refer to them a layer 3 lite. The 1335 is extremely flexable; router, switch, poe, and vpn for under $1500? Great devices for hosted phone systems and small branch offices.

Supporting the hardware you sale without asking for a credit card for software updates means a lot to me.

Palo Alto Networks +1

Great WebUI, very easy to use and fast compare to JWeb on Juniper SRX
Decent VPN clients, it is very easy to use compare to Juniper SRX Dynamic VPN (WHAT A JOKE)....
Central Management is great
RESTFUL API

CLI needs improvement, the CLI could be much better with better cut and paste config ability.

Lack of decent SNMP support.

If you are using ScreenOS, the learning curve is not that bad..

Very buggy software,

Poor documentation, lack of best practice guide

Support is okay not the fastest in respond to issues or fixing bugs.

Nice approach to understanding the ROI. My Cisco centric team also loves Fortinet boxes. They perform well for the UTM functionality + routing failover with OSPF domain extended into the perimeter devices.

Regards,

Hi

What about ordinary servers with OpenBSD?

Cheers

We can discuss for years which device is better. Some folks take Cisco and Juniper or other vendor and make a religion of them.
At some point you need to pick a few products and stick with them until the market changes. In traditional networking (switches, routers, firewalls) Cisco still has a very high market share. If you decide not to deploy or support Cisco, you will lose customers. Juniper is second, with everyone else trailing behind.
Stick with the top two or three and watch market trends and adjust.

On a technical side, I have deployed both Cisco (ISR, Catalyst, Nexus, and PIX/ASA) and Juniper (SRX, J-series, EX, and ScreenOS). Unless you are building an extreme low latency, high-bandwidth, high-transaction infrastructure, you can pick Cisco, Juniper, Brocade or any other vendor and successfully deploy if you are competent with that specific vendor. In a normal office deployment it comes down to cost and/or management's preference.

Some specifics about Junos devices that I personally do not like:
EX switches do not survive power outages 50% of time. Luckily, 10.x code and above has a backup partition. 12.x code might have a built in option to recover a corrupted partition.
HA in SRXs makes both firewalls act as a single logical device. It is good unless you have to upgrade. In-service upgrade (3400s and above) has caveats based on code release and options you are running. Unlike Netscreen or ASA, which have two boxes sharing state, if you screw up an SRX upgrade be ready for a long downtime. With ASAs you can always upgrade one box at a time.

I have tested for 3 months some equipment (router) for one client with low budget and higher data demands (start-up business). In the middle of the research, a good friend talked to me about Mikrotik from Latvia (EU). Looking for his specification and brand info in their site, I found a equipment with characteristic between (King-Kong) and (Hulk) with a very small price tag. The prices varies from $645 to $995 and have super hero capacities like 16 to 36 cpu cores (1.2 GHz), 16 - 24 millions of pps (64kb frame), PoE, SPF ports, 2 - 4GB Ram and so on. I have ordered 2 for back-to-back test and I think if this equipment fill my specification, I will using or recommend to the client. Here the link for more info:

Mikrotik Cloud Router

ps: The router include a firewall module, MPLS, Proxy and other cool stuff.

https://www.barracudanetworks.com/products/ngfirewall

I think this could be the best "bang for the buck" deal around, though I'm not too familiar with prices of products by any vendor.

Tons of features and deployment options (appliance, "standard hardware - Barracuda NG FW running on a IBM/HP/Dell/... server, virtual appliance VMware/XEN).

Stir clear from Fortinet-s. They are not stable enough, but for branch FW-s it may be not an issue.

SRX-es are great, I manage network with about 100 of them. 240 and 210 mostly. Have not seen any hardware problem. Software sometimes screws up, but FW normally able to reboot yourself or just restart failed process automatically.

I have VPN experience with Cisco ASA as well as Juniper SRX and the old NetScreen stuff. We have ~30 VPNs to various sites using mostly small NetScreens and a few larger boxes as the 'hub' for them. We've been migrating to the SRX line for firewalls and will soon be migrating to them for the VPNs too. If you didn't like the SRX line when they first came out a few years ago you should look again, they are rock solid now.

I personally don't like the ASA for anything other than client-based VPNs (they are great at that). The CLI & config files of a Junos/SRX so clean, readable, and usable you'll hate ever looking at an ASA again. I learned Junos easily, is not a pain in the ass as this article mentions.

You can get an SRX 100 for around $600.

ISR ZBF can be made to work, but even with a good naming convention and sticking to a basic strategy, the configuration gets huge. In addition the tools for monitoring/testing the ZBF are practically non-existant and the documentation for the various parts of the inspection engine are still terrible. Trying to figure out why a particular protocol is not passing through, or a particular inspection engine is not working is near impossible.

I understand what they were trying to do, but at this point, I'm thinking they need to rework it. It's nice to try and stick with the existing modular policy framework just isn't scalable configuration wise. It would be easier to apply zones to interfaces and ACLs to the zones...similar to ASA. Maybe they'll eventually get the frame work where the show commands are manageable and you have real insite into the logging and state functions (snmp mibs would be nice).

Well, I'm historically a "cisco guy" so I can only really comment on that part. I worked for an MSP for about the last five years, and we were a Cisco shop.

tl;dr version = Cisco ASA is solid, but expensive. Does great at site2site VPN, very dependable.

ASA is a very solid platform, but does require initial work to get them configured. However, once you know how to configure them, they will literally run for years stuck in a closet and doing their thing. One client we had ran a central site with a 5520, and 20+ roaming sites with 5505's, all running more or less the same config with just different IP addresses. These ASAs sat in dusty, hot, humid, vibrating conditions and ran VPNs back to the home without problems for years. When one broke, since they kept up with their smartnet, Cisco would ship out a new one overnight with hardly a hoop to jump through. One call to TAC, and a box showed up the next day. Get the firmware matching, drop in a config and you're off to the races.

The ASA line is branched from the PIX line, which they purchased a long time ago. Its OS is not actually directly from the IOS line, but has been made to conform so that most commands are the same. In some ways, ASA is easier to configure, as it tends to be "smarter" at configuration.

Client VPNs, not as great. The 64-bit versions of their VPN client were initially not available, and the 32-bit doesn't work at all on a 64-bit os. Until their newest VPN client (AnyConnect) there was no simple GINA integration, so you had to first login, then connect the VPN. Caused some problems with roaming domain laptops that went long periods being disconnected from their DCs.

Licensing and Smartnet are where Cisco starts to lose battles. The ongoing cost of smartnet drove several customers to look for other solutions like Sonicwalls and even domestic, off the shelf solutions from their local office supply store.

I don't know how other companies handle their partner setups, but to be a Cisco shop you must employ a certain number of Cisco certified personnel, and that requirement changes depending on the level of product you want to support.

Branch firewall - Palo Alto.

I just left training and I have to say packets inspection firewalls look simply archaic now. Cisco & Juniper are going to be left behind very quickly Actually, its already happening. This has more to do with functionality than marketing. Why use just source/destination/service when you can look INSIDE the application? GAME OVER.

We use all: ASAs, IRS2, SSGs, and SRX.

ASAs are great as HA pair of firewalls in a data center. I would not use them in offices where you need all in one device, since they don't support BGP and route-based VPN tunnels. ISR2 are great all-in-one. This is our preferred device, and as stated before, cost is an issue. But it is worth it.

SSGs/ISGs, love them, they can do most of the ISR2s and all of ASAs and have a great HA setup in ISGs for large data centers but Juniper will retired them in time. SRX is SSGs replacement. SRX, I want to love them, but...All-in-one is great competitor to ISR2s, more Ethernet ports, cheaper, but you can't add more RAM and bugs. For larger data center HA deployments: stay away! HA deployment is terrible and you will have to reboot both boxes to fix an issues, unlike ASA or ISGs. SRX HA makes two boxes into one logical, control plane stays on one, but forwarding on both. We had a memory leak, could not fail-over, the only way was to reboot the whole cluster (per JTAC). Now explain business why data center was down even though you have an HA setup. This never happened with ASA or ISGs.

I would say try Cucumber Wifi

They're great and reasonably priced as well. I use them for my business. It offers full guest access option with a splash page and captive portal that logs your sessions.

The firmware is loaded onto the UniFi AP and gives you guest access options and an unlimited number of SSIDs (guest and private networks).

It also gives you cloud management of the AP and some enterprise networking features you don't get from the standard UniFi firmware and controller setup.