2023 Firewall Features Compared: pfsense | Arista | UniFi | Sophos | Fortinet

2023 Firewall Features Compared: pfsense | Arista | UniFi | Sophos | Fortinet | Meraki & What We Use

Рет қаралды 128,741

Күн бұрын

lawrence.video/firewallreview...
pfsense tutorials
lawrence.video/pfsense
UniFi Tutorials
lawrence.video/unifi
Christian Lempa Sohpos XG & other great videoes
• Protect your home netw...
Stacey on IOT Firewalla Review
staceyoniot.com/tag/firewalla/
The Network Berg MikroTik & Other Networking videos / @thenetworkberg
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Time Stamps ⏱️
00:00 Firewall Comparison Chart
00:48 How We Made The List
02:15 pfsense CE VS pfsense plus
03:02 What About OPNsense
04:28 The Chart of Firewalls, pfsense, Arista Untangle, UniFI, Fortigate, Sophos, Meraki
06:20 Virtualization support
06:51 Central Management
08:17 Web Management Interfaces
08:51 License Fees
10:36 High Availability
10:56 BGP/OSPF
11:37 SDWAN
11:54 OpenVPN, Wireguard, L2TP, & IPSEC Support
14:38 Tailscale
15:15 IDS/IPS Traffic Inspection
16:31 Web Content Filtering DPI & SSL Inspection
17:24 DNS Filtering
18:21 Traffic Shaping
18:40 Multi WAN
19:22 Active Directory Integration
19:44 Policy Routing
20:20 Firewall Rules Based on Active Directory
20:50 Reverse Proxy & Let's Encrypt
22:52 Captive Portal
23:20 Traffic Reporting
24:00 VLAN Support
#firewall #networking #security

Пікірлер: 431

@LAWRENCESYSTEMS Жыл бұрын

A few notes: The Fortinet DOES have a reverse proxy (not just load balancer) The Sophos DOES support Let's Encrypt for their web interface.

@SmoothOper4t0r Жыл бұрын

FortiGate can be run as a virtual machine. What about Antivirus, Antispam, File Filter, SSL inspection, SD WAN, IPS that actually gets the job done? This is really limited list to only stuff that PfSense does.

@LAWRENCESYSTEMS Жыл бұрын

You either did not watch the video or did not look at the comparison chart (probably both) because most of those features are on the list.

@SmoothOper4t0r Жыл бұрын

@@LAWRENCESYSTEMS multiWAN is not SD-WAN. Antivirus or Antispam is not mentioned at all. The hard truth is that Open Source firewalls are really not that good when it comes to endpoint protection, from Antivirus, to content filtering, they are just too much to handle. Even then, they are not reliable. IPS is covered, sorry about that. Although, IPS with SSL enabled is whole another story.

@LAWRENCESYSTEMS Жыл бұрын

Multiple wan and sdwan is on there. So is the SSL inspection. Are you even looking at the same chart? For someone trying to make their point about "The Hard Truth" of Open Source, not reading the materials presented is not helping your credibility.

@GT500Shlby Жыл бұрын

@SmoothOper4t0r You don’t need endpoint protection, thats what Cylance/Crowdstrike/Sentinel One is for. Same with the SEIM, let the soc handle it, but it as a service that just works and check it off your insurance form. Then get Threatlocker.

@connorfreebairn6537 Жыл бұрын

Really appreciate the run down. Comparing firewalls is hard at the best of times, happy you made this video. (The sheet could be a very useful resource in the future) 👍

@DPCTechnology Жыл бұрын

Great stuff! would love this to be an annual thing. Great reference!

@stevenmishos Жыл бұрын

4 minutes of disclaimers so Tom doesn't have to deal with, "why not xyz?" ... will still be asked, "why not xyz?".

@LAWRENCESYSTEMS Жыл бұрын

Yes, but all those comments do help the YoutTube algorithm know that people find this content engaging!

@josealfredfernandes 3 ай бұрын

Which is the best? Is it Sophos?@@LAWRENCESYSTEMS

@LAWRENCESYSTEMS 3 ай бұрын

@@josealfredfernandes The best one is the one that fits all your needs.

@pest86 Жыл бұрын

I was using pfsense for 5+ years and recently started having issues with rule schedules not blocking what I need to. Switched to opnsense and was amazed - issues are gone and I live in 2023 now, not in 2000 pfsense web UI stuck into. Very happy with it and would say it is worth trying

@angelgonzalez2379 Жыл бұрын

Didn't realize the guis were that different. I haven't had any issues with pfsense yet, but I might spin up opensense just to see what I might be missing.

@TheFibie007 Жыл бұрын

Am interested in a bit more specification if you don't mind. Maybe I'd have to look into this.

@pest86 Жыл бұрын

@@TheFibie007 i have some ips that should be restricted going outside based on schedule. I've created 2 rules - one to block always and another to allow on specific schedule. Its been working for years but latest update broke it. I've been using home Plus licence. Rules just stopped working - schedule was ignored. The only way to enforce the rule was to reboot pfsense. Client wifi reconnection and even reboot didnt do anything. To illustrate, rule allows connection but client cant connect, pfsense rebooted - client can connect. Then rule does not allow connection but client still can connect even connecting to the lan after the disabling rule in effect, again pfsense reboot is the only way to enforce it

@geepeezee5030 Жыл бұрын

I actually prefer the pfsense ui. It seems more logically laid out, at least in my mind. Opnsense's ui is more "modern" looking but not necessarily better. On the same browser it is is slower to navigate between screens. Also, the gray colored font is harder to read than pf's more contrasting colors. Regarding the scheduling issue, likely a pfsense bug that needs to be fixed. This is version 23.01. By 23.10 hopefully most bugs will be fixed. Learned a long long time ago to never update to the newest version right away. Give it at least 6 months before even considering testing it.

@pest86 Жыл бұрын

@@geepeezee5030 pfsense UI is usable, no doubt. I prefer opnsense UI but it's a personal taste. I haven't upgraded straight away, gave it a couple of months from the release. Rather than reinstall I've decided to try opnsense and, as I've mentioned, not looking back

@aimestereo Жыл бұрын

Thanks pal, great help on this topic!

@lumarel Жыл бұрын

I was kind of a long time user of pfsense, and still use it for old testing environments, but at one point I got a Mikrotik Router, that has served me very well for any needed advanced firewall configurations, as well as VPN endpoints.

@minigpracing3068 Жыл бұрын

RouterOS has a lot of good features inside.

@jzcalderon 10 ай бұрын

Except when you need Ipsec VTI 😅

@nicoribeiro23 Жыл бұрын

Most wanted video for quite some time. Thanks Lawrence

@danroot84 Жыл бұрын

Lol just fyi his name is Tom Lawrence.

@ronnie141z Жыл бұрын

Thanks for the video Tom, just a quick correction though, you might want to rename the 'Operating System' row to 'Kernel'. Keep up the great work, I enjoy your videos a lot!

@MoD_Master_Of_Disaster_ 10 ай бұрын

Long term Meraki user here, I even have 4 years and 299 days left on my licenses, but recently I moved to Pfsense. Main reason for ditching the Meraki MX64 firewall is that we've outgrown it. Being limited at 250Mbit on the WAN side is a 50% reduction of my internet speed (the ISP does give use a "free" speed increase every year or so). After having tested Pfsense as a VM on a Synology DS1621+ for a week, I bought the Netgate box. So last Friday I received my Netgate 6100 (with 4 years hardware support contract). Man am I blown away by it. Yes Meraki has some nifty features, though I don't think I'll miss them that much on our home network. Im quite certain the Netgate box will serve us well for the next few years.

@tillburn Жыл бұрын

Awesome! Love the shirt Tom.

@davidyoder5890 Жыл бұрын

I've been using Untangle since it was a Windows app (yes, you read that correctly), and I absolutely love it. No product is without it's downfalls, but Untangle has been rock solid for me for at least 10 years. One of my production edge devices running Untangle is about 70 days away from 3yrs of uptime!

@yeoldestonecats5025 Жыл бұрын

I do remember the demo app for Windows. For us, partners since version 5.01, I think back to 2007 or even 2006. A few years ago did a few writeups on Untangle for a few tech websites. Had a LOT of them out there in production, however my view of UTMs being super important for businesses is easing up, I'm focusing more on PDNS now. Also not confident in the direction Arista is taking Untangle.

@miles267 Жыл бұрын

Same. Have used Sophos UTM, Sophos XG, pfsense and Untangle and ultimately Untangle NGFW (latest). Untangle the best of the bunch.

@zparihar Жыл бұрын

Great video Tom! I would add 2 things to the list: 1. API 2. OPENVPN With LDAP/AD integration (and bonus of the have 2FA 3. VxLAN The reason I moved over to OPNsense from pfSense was because of API support for firewall rule and network automation and VxLAN. VxLAN support is definitely more nuanced, but I'm getting more involved in hyperconverged virtualization. Yes, I don't like how often OPNsense updates either...

@LAWRENCESYSTEMS Жыл бұрын

Line 24 covers #2 and API would be a debate on how functional that API is. VXLAN is not really used in the SMB space and rarely in the homelab space.

@zparihar Жыл бұрын

@@LAWRENCESYSTEMS Hi Tom, I was referring to the distinction between users in AD/LDAP Firewall appliance Login and users in AD/LDAP OpenVPN on the Firewall appliance Login. For example, in pfSense, i can set up LDAP as my authentication server and then get my LDAP users to log into OpenVPN running on the appliance and authenticating against the LDAP server. Can that be done in Unifi alliances?

@LAWRENCESYSTEMS Жыл бұрын

Not sure how well that works with UniFI.

@proxykid567 Жыл бұрын

Actually I do prefer the speed of the updates, as well as all the other reasons mentioned, main reason why I also moved to opnSense, and assisted 3 companies in migrating to it coming from pfSense.

@samadams4582 Жыл бұрын

Technically, Meraki does have the vMX, which you can run virtualized. However, most people tend to use the Meraki hardware. The vMX is mostly for Cloud environments.

@MoD_Master_Of_Disaster_ 11 ай бұрын

a vMX is only capable of facilitating VPN connections

@thetrevster14 Жыл бұрын

The Fortigate does have WAF/reverse proxy. You can turn the feature toggle on for it to display the options in the GUI to configure it.

@LAWRENCESYSTEMS Жыл бұрын

Yes, I updated the chart.

@DjRio0001 Жыл бұрын

@@LAWRENCESYSTEMS FG also can run on VMs and containers.

@LAWRENCESYSTEMS Жыл бұрын

@@DjRio0001 Yes, that was noted in the video under "Can Be Virtualized"

@thighdude7 Жыл бұрын

Thank you for this informative and unbiased content!

@segdesc Жыл бұрын

It's missing Cisco Firepower (FTD), the new version 7.3 has some really neat features like EVE (Encrypted Visibility Engine), which allows the device to watch for malware within encrypted traffic without the need to decrypt it.

@r000tbeer Жыл бұрын

Thanks for this!

@redheelerdog Жыл бұрын

Great review Tom, very informative, thanks.

@viecus Жыл бұрын

For the most part, the best firewall is the one you know how to configure well... No point having a $10000 firewall if you don't turn any of the features on!

@not12listen Жыл бұрын

This was a nice breakdown! I've used Meraki a few years ago and it was very 'hands off, you tech, leave it to us!' - which was frustrating. I've been on IPFire for several years now and think it would be great firewall to have on your next roundup. I cannot speak to it's viability in terms of business usage, as I use it for my home network, but would be surprised it if would not hold it's own.

@LAWRENCESYSTEMS Жыл бұрын

Not likely that I will use it as it does not offer any compelling features over pfsense.

@zeroibis Жыл бұрын

The firewall rule based on AD would actually be a great future feature for pfSense. Hopefully it is something we will see down the road.

@Traumatree Жыл бұрын

After the central management feature :)

@jimmymifsud1 Жыл бұрын

@@Traumatree cloud management, the. LDAP

@chrisslaunwhite9097 Жыл бұрын

@@Traumatree If they did this i would sell boatloads, but now with 20 or so in the wild its just too much to manage...

@amberayohester9196 9 ай бұрын

Nice Content, Thank you

@eXdriver23 Жыл бұрын

I have a question about PFSense and Unifi. I took your advice from watching you video's and ordered a Netgate 4100 Max and I want to order some Unifi switch, access points and cameras. I want to also order a Dream Machine SE to make it easier to control the cameras for home use. Would you recommend using a Dream Machine with PFSense or would you recommend using a different solution to control and capture video for my cameras?

@engrpiman Жыл бұрын

My employer has always purchased meraki direct though CDW / Insight so I don't know if they are going awound MSPs. The license seems to also be a support agreement as they have replaced dead APs with newer models a few times.

@bblancoftb Жыл бұрын

I just upgraded my home internet connection to 3Gbps, and have been thinking about upgrading my firewall(NetGate xg7100) to add 10G support. I really like the netgate products, but they don't seem to have a solution. So either I buy a 10G switch and media converter(since the xg7100 doesn't support copper sfp+ modules) or upgrade the firewall. Curious to hear your recommendation.

@bsem68 Жыл бұрын

Great video. I would like some more info how you configure customer pfsense to vpn back to you and coordinate them all in regards to centralized management.

@LAWRENCESYSTEMS Жыл бұрын

I'll make a video on that soon

@tappys15 Жыл бұрын

I would like to see this too please!

@ThisIsTenou Жыл бұрын

I think MikroTik's RouterOS would've been a nice addition to the chart as well, just for all the homelab peeps.

@LAWRENCESYSTEMS Жыл бұрын

I don't use them but they are inexpensive but also have a steep learning curve due to lacking documentation.

@ThisIsTenou Жыл бұрын

@@LAWRENCESYSTEMS @Lawrence Systems I agree. There's documentation, but it's really lacking in some regards. How to do specific things also changes from model to model due to differing underlying hardware sometimes, which isn't nice. However, if all you need is a L4 firewall and router, they're extremely capable and, in comparison, quite cheap.

@floodo1 Жыл бұрын

Eyyyy perfect timing TY

@JonMajorCCIE47884 Жыл бұрын

There actually is a virtual option for Meraki! Meraki vMX, for 'private cloud' it looks like you need Cisco NFVIS. Looks like hot trash, but thought I'd mention it. Great stuff Tom.

@MoD_Master_Of_Disaster_ Жыл бұрын

Meraki vmx only does vpn.

@JonMajorCCIE47884 Жыл бұрын

@@MoD_Master_Of_Disaster_ Oh really? When I last deployed one I swear you could run it in NAT mode and it behaved like any other MX. It's been a minute though.

@ant1instant570 Жыл бұрын

What's your thoughts on the extra advanced threat/malware detections feature that some firewalls are preaching? Is there something similar to pfsense?

@davelloyd- Жыл бұрын

The thing that seems hard to find is decent reporting - I want to know how much data each of my devices is using, and also break it down by major apps [eg, 100GB of netflix, 80 of which from this device, 20 from that device). I made the mistake of buying a sophos XGS 87w and finding that it does not do local reporting and the cloud reporting is lacking - the fan also is way too loud from home. It lasted about 7 weeks before being packed back in its box never to be used again. Currently trying pfsense on an old Dell sff pc - and meh; BandwidthD cna give totals per device, but nothing about apps, darkstat doesn't seem useful at all and ntopng is complicated and not convinced it's going to gimme what I want. Some of the options (like Arista) I'd never even heard of before so gives me something to look at anyway

@mohammadqaisqurbany4251 Жыл бұрын

It is now 2 years that I handle and manage FortiGate. I can say it can fulfill all the requirements of a business in a country level. Love this firewall

@petermuller608 Жыл бұрын

You are looking good! Did you do something to your hear?

@zenja42 Жыл бұрын

to the Sophos - I loved their old SG (Astaro-ish) Version that were a dream to work with. Now I'm doing XG and I hate it. They also charge for Updates now, even if I have already got the Network Protection licence for 5y, they now want me to pay extra. As it's an Intel based XG230, I will reinstall it with opnsense or just plane arch linux.

@jorgeaguirresuri Жыл бұрын

if we are talking SMB .. those are ok, I even consider to use OPNsense or ever zentyal... but for more complex clients (like manage a lot of FW, or do some specials things, etc) we are talking about Palo alto, checkpoint , fortinet, cisco ASA,etc .. BTW: fortinet is unix like, not consider as linux ( cause it have its own kernel for their soc).

@tbard Жыл бұрын

This. Especially the first three you mentioned. I am not sure if I'd consider ASA at the same level as the other three tho.

@bx1803 Жыл бұрын

@@tbard PAN is the way to go for enterprise level NGFW.

@tbard Жыл бұрын

@@bx1803 that'd be my choice too, I'm a PCNSE myself, but I do consider Fortinet a close second among the ones I had to work with. And there are some fringe cases where I'd rather pick Fortigate.

@rklauco Жыл бұрын

Great video!

@thepcenthusiastchannel2300 Жыл бұрын

At work, we use Meraki and Fortinet. At home, I use pfSense with custom hardware. I can't fault any of the three in terms of the product itself. Meraki is very easy and straightforward to use, we have all of our clients in one place and it's very easy to manage. Fortinet is more of a pain to manage but the firewall itself is very solid. It's easy to setup any type of VPN the units support as well. Tying either Meraki or Fortinet to AD for Auth is also very easy. I will say that I prefer pfSense but that's just me.

@tonkatuffnuts Жыл бұрын

Fyi, I use custom feeds on our fortigates straight from MS-ISAC

@brianclarke8503 5 ай бұрын

Personally, I like Fortigate as a solid, easy to configure, affordable all-around FW for SMB and Large Enterprises. For home, while I would still prefer using Fortigate, I can see the use-case for PFSense if you need some common features that home users prefer like tailscale, wireguard, etc. With the small Fortigates being in the same price range as comparibly spec'd PFSense appliances, I usually just go for Fortigate in most scenarios. You only need to pay for licensing if you're looking to unlock Layer7 features.

@IkarosCanFly Жыл бұрын

I surprised palo alto didnt make the list

@charlessloane Жыл бұрын

Yes I agree. They are a major player in the market.

@taetschmeischter Жыл бұрын

Checkpoint and Juniper for the big world 😂

@jetskisnowboardski Жыл бұрын

Looking at the brands I’d say these are the small business options.

@ernestoditerribile Жыл бұрын

@@taetschmeischter yep I truly love Juniper, IBM, HP Aruba and Cisco switches and Firewalls. Sophos and Fortinet are okay(though lots of Fortinets are not upgraded, so really easy to hack with MeraSploit. Unify has a great interface. PfSense is really complete and easy to install. The rest I don’t really know. So I will find out in this video. Haven’t started watching yet.

@ernestoditerribile Жыл бұрын

Don’t use NetGate appliances for your firewalls. Use Quad or Octo Xeon CPU’s in your datacenters or Cisco 9300 series. Or Juniper SRX series. As soon as you go above 40 GBPS throughput, your speeds will suffer enormously. Made that mistake once at a client, who asked me to take a cheaper approach than the Cisco switches and firewalls I had in my first offer.

@GT500Shlby Жыл бұрын

Would be interested in seeing how you used vpns for reliable remote access to firewalls. I have a few hundred pfSense firewalls in the wild. Managing them has been a chore.

@adamschimmel4070 Жыл бұрын

I like the pfsense plusv feature to import openvpn client config😉

@ShadowRaxx Жыл бұрын

Another nice column would be log output format like CEF over Syslog etc

@FireBean8504 Жыл бұрын

Cannot wait for you to try Palo Alto firewalls!

@Felix-ve9hs Жыл бұрын

I didn't realize that Untangle is owned by Ariasta, I only really knew them fro their datacenter grade switches.

@kxpn Жыл бұрын

I purchased a Mikrotik router about 30 days ago, absolutely horrible documentation, never did figure it out, am now switching to pfsense so much support unbelievable.

@apalrdsadventures Жыл бұрын

How's IPv6 support on these - is the firewall / application filtering / ... at feature parity, or is it nonexistant? Internet suggestions are that Untangle isn't very good on this side, and other than pfSense / OPNsense being essentially at feature parity I'm not sure about the others.

@LAWRENCESYSTEMS Жыл бұрын

I never have to use IPv6 so I didn't put it on the list.

@Knirin Жыл бұрын

OPNsense works well with IPv6 on my admittedly small network. If you have or need IPv6 I suggest avoiding OpenWRT. You will probably not have a good experience. The difference in UI was a good chunk of the reason I chose OPNsense over pfsense.

@ierosgr Жыл бұрын

kind of irrelevant question but when you use pfsense (OPNsense and others)do you always have to turn the ISP's modem-router to bridge mode in order to pass through the connection to your custom machine running pfsense behind it? .Specially nowadays that all connections have voip it is even more difficult to do so, since many providers (at least in my country all of them) don t provide voip credentials to set it up your own. So you end up with double NAT and pfsense sees the internal ip address as the public one. On the other hand I don t think pfsense can act as a standalone modem so it needs one in front. Am I right? Thank you

@marcogenovesi8570 Жыл бұрын

yes these are all firewall solutions not modems. To connect a modem you either do a double NAT or put the modem in bridge mode. Decent modems can do bridge mode or can be put in bridge mode by the ISP if you ask them

@ierosgr Жыл бұрын

@@marcogenovesi8570 Thanks for the reply but (ahahah) you seem to have way more helpful ISPs there than us here in Greece (they act like a different government and try anything but to help client)

@battlefreek 7 ай бұрын

Happy with Untangle/Arista for my customers since years and yes some parts are to be paid for the full version but you can choose not to.

@dabneyoffermein595 7 ай бұрын

if we keep snort & suricata (sorry for spelling) off initially after setting up a pfsense, is that a risk? in other words, should one of them be at least enabled at all times? or is the default setup wizard completion at least offering a bit of protection until we have the time window to try one of those packages and have our internet go up and down while testing them? thanks in advance so much!!!!

@LAWRENCESYSTEMS 7 ай бұрын

Leaving then off is fine

@davidbailey3289 Жыл бұрын

Thanks for the review. Any chance you ever so a review of antivirus that works well with this?

@LAWRENCESYSTEMS Жыл бұрын

I think you are asking about firewall based AV and I am not aware of any that are effective.

@0M9H4X_Neckbeard Жыл бұрын

We've gone from pfSense -> Sophos XG -> FortiGate and the only addition I have to make that wasn't mentionrd is that Sophos' GeoIP filtering is entirely non-functional. They only support it in combination with their WAF (which is imo the main usecase) by doing a fake-NAT and it doesn't work at all. IPs show as an allowed country in the logs but are still blocked / matched by the NAT rule. Plus, the fact you have to use a fake NAT at all is hard to document and log. It's clearly a workaround and like I said - it also just doesn't work at all. No such issues or workarounds at all on the FortiGates

@SophosDACHSE Жыл бұрын

This was an issue, which is already fixed within the System of SFOS. So if you block a Country, you can do it by using a firewall rule and block the access. If you have a WAF or Service, you need the NAT Rule, but it still blocks the traffic and logs this traffic accordingly.

@justinc.2656 11 ай бұрын

I really like working with Meraki but you have to prepare yourself (or at least management for the ongoing licensing costs.

@dcuccia Жыл бұрын

Curious what the SMB uptake is for Firewalla (Understand why it's not here - I watched the video :))

@LAWRENCESYSTEMS Жыл бұрын

I have links to reviews in the description, I really feel it's a consumer product and I find it odd that it uses a phone app for management.

@runge340 Жыл бұрын

The FortiGates can also use its Let’s encrypt certificate for its SSL VPN and the VPN Webportal which is great

@williamgregoire9418 3 ай бұрын

Fortigate can run on your own hardware with the FortiGate VM

@blackshelbygt500kr Жыл бұрын

Fortigates can do reverse proxy as well as waf. I run a have a Fortigate running a reverse proxy in my house right now.

@LAWRENCESYSTEMS Жыл бұрын

Interesting all I found in their documentation was https load balancing which is not exactly the same as a reverse proxy.

@Faithhh071 Жыл бұрын

@@LAWRENCESYSTEMS Haven't they all started to rename reverse proxies to load-balancers because it sells better? Technically load-balancers are just glorified reverse proxies.

@tombruton Жыл бұрын

@@LAWRENCESYSTEMS virtual servers is there branding around that feature i admit it’s not clear at first glance

@LAWRENCESYSTEMS Жыл бұрын

I updated the chart

@christopheoudin3625 Жыл бұрын

Great vidéo! What did you think about Mikrotik?

@LAWRENCESYSTEMS Жыл бұрын

That they have a steep learning curve and lacking documentation

@MactelecomNetworks Жыл бұрын

Great video. I honestly think Unifi is the easiest vpn but I do use that the most. Next up would be PFsense

@LAWRENCESYSTEMS Жыл бұрын

Their site to site is, their user VPN is lacking

@MactelecomNetworks Жыл бұрын

@@LAWRENCESYSTEMS agree, UID is much easier . But most people won’t sign up for that and is a lot more steps

@abe6215 Жыл бұрын

@@LAWRENCESYSTEMS have u tried UID?

@etkasper Жыл бұрын

It would be awesome if you could please do a video on Twingate as well, I am curious to know what you think. Thank you.

@LAWRENCESYSTEMS Жыл бұрын

I don't really have any interested in Twingate, closed source VS TaialScale which is open source, more transparent, and has better documentation.

@canadianwildlifeservice8883 Жыл бұрын

Sophos does support Let's Encrypt certificates, but just not for SSL/TLS inspection. Note that there are currently two actively supported versions of the Sophos firewall: UTM and XG (the latter of which is now referred to as SFOS or simply as "Sophos Firewall".) Everything else is correct.

@geepeezee5030 Жыл бұрын

Sophos's UTM does support LE directly from within the UI. XG (sfos) requires half assed scripts to get it to work. Ironically, UTM will no longer be sold after 6/2023 and going EOL entirely 6/2026. That's progress for you!

@canadianwildlifeservice8883 Жыл бұрын

@@geepeezee5030 Sophos will be losing a lot of customers by eliminating the UTM. It's basically due to greed. They bought the competition (UTM was owned by Astaro) then killed it, after they bought XG which was owned by Cyberoam.

@evelbsstudio Жыл бұрын

Im looking at unifi udm pro, the se isnt worth the extra, i already have the poe injectors. I think udm pro is easier to setup etc than pfsense. The only thing i dont like about unifi is there slow at putting out patches and new features. I could virtualise pfsene i suppose.. aarrggh stuck between what to get now lol..

@andriitarykin9567 Жыл бұрын

what about WatchGuard? :-) I actually use their deprecated hardware for pfSense for a while

@ericapelz260 Жыл бұрын

I have been a home user of Untngle for a decade, but I am considering moving to pfSense. I would love a video going over how to plan a move like that with several VLANS, DHCP reservations etc.

@LAWRENCESYSTEMS Жыл бұрын

There's no one to one transfer and are you using the web filtering on Untangle? There is no good equivalent in pfsense.

@bx1803 Жыл бұрын

@@LAWRENCESYSTEMS use pihole for this.

@bertblankenstein3738 Жыл бұрын

You could move dhcp services to another device like a raspberry pi. You could do that temporarily to make the move easier. Or perhaps you acquire a second hardware device and that set it up and then cut over at some point, at which time you find out if you got all the settings right.

@chrish297 Жыл бұрын

Excellent video and perfect timing. We are considering a new firewall.

@paulvancyber1979 Жыл бұрын

i like watchguard! and pfsense

@Imphrox 11 ай бұрын

Would've loved to see OPNsense. Also, sadly there's no automation capability comparison.

@zika1022 Жыл бұрын

I'm using PFsense tried to block some websites such as KZfaq but not working using everything and PFblockng and firewall rules, could you explain why?

@arthurascalon3867 Жыл бұрын

Informative video... however, we use Sonicwall.

@Stev.3n Жыл бұрын

We primarily use SonicWall and Meraki but have a few Fortinet and Unifi we support. As of late I've started to hate the SonicWalls for some stability/bugs myself and other admins have encountered. Personally for homelab I like Unifi as well a pFsense for testing.

@LAWRENCESYSTEMS Жыл бұрын

That is why I left Sonicwall off the list, I know many are using them, but no one stating they like them.

@jasper221176 Жыл бұрын

We were a Sonicwall user...never go back, because of there aggressive way of selling.

@Redspence73 Жыл бұрын

When dell bought Sonicwall years ago it was the beginning of the end for them, at least in my mind. Though truthfully I haven't touched one in quite a while.

@MoonWalkCTO Жыл бұрын

@@LAWRENCESYSTEMS I have been using SonicWall for 20 years and they just keep getting better and better. I have hundreds of them running without a singe glitch. ever.

@rickkephartactual7706 Жыл бұрын

I started out with my pf flyers sneaker net firewall back in the 80's, you kids may not understand. I do not want to go back to those days, if was fun then but now, LOL no way.

@jordanshear4753 6 ай бұрын

Meraki is not allowed to sell directly, if a rep were to reach out to a customer, it is likely because the reseller is being negligent and not communicating. Controversial topic but the bottom line is; communication fixes all.

@spambucket1999 Жыл бұрын

Meraki can be virtualized using their vMX service.

@Foars989 Жыл бұрын

i just wanna mention that the Sophos Home edition is only hardware limited (4cores & 6gb ram) you still get the entire software package free

@DavidSondermann Жыл бұрын

True but it really doesn't matter in a home environment. I got over 250 clients in my network, about 40VLANs, 50ish rules, static routing, RED Connection to my cloud hosted XG, 10/40Gbit networking and I've never experienced any issues concerning the hardware limit.

@Foars989 Жыл бұрын

@@DavidSondermann wasn't insinuating that it was a negative, just didn't want people to see Home Edition & think it would be heavily dumbed down vs the paid version. Been using it myself couple years with no issues

@TheDeepSpacer Жыл бұрын

I'm myself a IT Security Engineer. The Video was pretty good. Sadly no PaloAlto was in the comparison. Personaly i worked with the old Sophos UTM wich in my opinion had the best UI for new user. The new XG is a step but in the wrong direction. Therefore we switched to FortiGate wich are prety nice. My Homelab is based of a 80F. But the PaloAlto is kind of my favourite FW. And one thing i have to say, no FW sould have a mailfilter or reverseproxy because there are way better products like the Netscaler and the IronPort.

@Traumatree Жыл бұрын

Netscaler are for big companies that has A LOT of stuff that people can access - and is mostly a thing of the past unless your are vendor locked-in and forced to host your own stuff. In today's space, most company should probably host their services on Azure/AWS/Google and benefit from their own netscaling infrastructures that no one can challenge.

@urzu181 Жыл бұрын

You've explained the exclusion of OPNsense and its totally agreeable, but you've missed out Mikrotik as well. A number of companies, and even ISPs, use Mikrotik. Not that I'm a fan of Mikrotik or anything in fact I've not used any of their products and I use more of pfSense/OPNsense and Sophos XG, but I believe Mikrotik should have a place in the list just like Unify.

@LAWRENCESYSTEMS Жыл бұрын

I don't use them but and their steep learning curve and lack of documentation does not make me want too.

@jaimeb5550 10 ай бұрын

I don't know what you're smoking - Mikrotik have to be one of the worst router/firewalls i've used in my career. As per Lawrence, they're a steep learning curve, not technically, but just interface wise.. Vendors do/name things slightly different but Mirkotik take the cake when it comes to confusing the hell out of you... Good luck troubleshooting complex setups on them.

@TruWrecks Жыл бұрын

I use ipfire and it so far is solid and smooth.

@LAWRENCESYSTEMS Жыл бұрын

I was going to do a April fools videos reviewing one of the really old firewall distros I used to use but I ran out of time.

@Darkk6969 Жыл бұрын

Good ole IPCop which is what IPFire is based on. Happy to see it's pretty active. I've moved to pfsense long time ago as I needed more enterprise like features.

@sufyankhanbest Жыл бұрын

What about Firtinet NGFW? currently I am using pfSense but would like to move on with other FW as squid is no more supported. Our main use is to block all website and certain website group-wise, and allowed all websites to Management.

@LAWRENCESYSTEMS Жыл бұрын

Due to more encryption being used today filtering at the firewalls for web traffic is more challenging than using a tool on the endpoint. We use Zoru for web filtering. Fortinet is a security mess kzfaq.info/get/bejne/bdl1fJtqq6eoY5c.html

@Gentlemanspot Жыл бұрын

would be good to see SAML/SSO support :p

@nelsonmaranonjr.537 Жыл бұрын

Hi Tom, can you do a review on Zenarmor on Pfsense?

@LAWRENCESYSTEMS Жыл бұрын

Nope, not something I plan on using

@johnb3616 Жыл бұрын

So I have a question about the recent pfsense update……I have a sg-3100 which I know netgate stopped selling but when I try updating the software in my appliance I just keeps looping and doesn’t seem to update, should I just reset my appliance or is there donething to do to force the update to install?

@LAWRENCESYSTEMS Жыл бұрын

Or you could do a fresh install with the latest version and reload

@johnb3616 Жыл бұрын

@Lawrence Systems ah yeah, I didn't think about that. I just got frustrated, I guess. Thank you, I'll do that

@geevee9728 Жыл бұрын

IDS/IPS, Content Filtering, DNS filtering, GeoIP filtering So what features do they need to add to consider these as NGFW?

@LAWRENCESYSTEMS Жыл бұрын

NGFW is whatever marketing says it is.

@geevee9728 Жыл бұрын

@@LAWRENCESYSTEMS I only ask due to whenever the topic of cyber insurance comes up at work they always try to check off features of our pfsense against the mythical NGFW 🙂

@canadianwildlifeservice8883 Жыл бұрын

NGFW traditionally means the firewall functions at all layers, including layer 7 of the OSI model (the application layer...the highest layer). It should perform application-level filtering. That is traditionally what "next-gen" means, however, how each firewall accomplishes this varies from one company to the next. So the firewalls like Sophos/Untangle/Fortinet perform filtering at the application layer and can be considered next-gen firewalls as they can block network data on the application level.

@minigpracing3068 Жыл бұрын

I thought you also used Untangle for places that need web filtering? (edit, typed too soon)

@LAWRENCESYSTEMS Жыл бұрын

We do, but not often as endpoint filtering is easier to manage.

@RobbyPedrica Жыл бұрын

It would seem from the listed criteria that this video is more focused on SMB or entry-level market - I didn't see positioning for this so apologies if I missed it. And nothing wrong with that. But there's a huge set of features missing here that relates to mid- and enterprise market. Many of the firewalls here would be removed from the chart for lack of support. Link performance metrics, vxlan, evpn, twamp, cgnat, hyperscale, sso, hardware switching, IPsec aggs, ztna, saml, wired and WiFi nac, dynamic cloud objects/SDN, dynamic mesh IPsec, etc. List goes on and on. So these need to be considered for the use case you need.

@RobbyPedrica Жыл бұрын

Also wanted to mention that the FortiGate supports the complete acme protocol, not just let's encrypt. Not sure about the other products. With recent murmurs from Google about wanting 90 day TLS certificate expiry, this is going to be a critical feature.

@LAWRENCESYSTEMS Жыл бұрын

I look forward to getting everyone on the 90 day certs and supporting ACME.

@RobbyPedrica Жыл бұрын

@@LAWRENCESYSTEMS in 2 minds about this, there's a lot of stuff that have convoluted certificate management - SAP especially comes to mind here.

@GXShade Жыл бұрын

I personally like your shirt

@mcury85 Жыл бұрын

Meraki IPS is something you can't tune.. on or off. Also, use a cloud to configure it? I don't like it..

@JonathanRLight Жыл бұрын

Informative comparison, thanks for this video. "Can run on your own hardware" leaves only a few choices, and now that untangle is arista, that leaves sophos and pf/opn/sense, which basically leaves *sense. I should do my own homework but as a feature comparison adding proxmox to the list might show how far it falls short, or not, I get the impression that feature wise proxmox might be a little behind but offers other advantages on the same machine. I'm interested in any other alternatives or suggestions, and corrections if this is wrong.

@LAWRENCESYSTEMS Жыл бұрын

Proxmox is a virtualization platform not a firewall.

@JonathanRLight Жыл бұрын

@@LAWRENCESYSTEMS The Proxmox firewall is a fully functional firewall built-in solution that updates the underlying iptables rules automatically in the Proxmox server, clusters, containers, and virtual machine guests. It provides the added benefit of cluster-wide firewall configuration that provides a central firewall solution implemented with firewall configuration files. I was planning on installing this on an old box to play around with it, but it sounds like a complete pain to do something that's relatively easy in other solutions.

@scottjacobs8245 Жыл бұрын

Not sure what was meant by the comment about untangle - but the Arista acquisition hasn’t changed the fact that it is installable on your own hardware.

@zparihar Жыл бұрын

Actually @Jonathon and @Tom, Proxmox does have an integrated firewall, but keep in mind that it's designed specifically for Proxmox hyperconverged abilities and is excellent for that. But if you are looking for a feature-rich firewall, then it's not the way to go. I'd go with pfSense or better yet OPNsense because it has API's for automation and also VxLAN which is a powerful SDN feature of Proxmox integrated Open vSwitch (OVS)

@JonathanRLight Жыл бұрын

@@zparihar I have been very impressed with both OPN and PF on hardware. The common wisdom, and reputation, of proxmox is as you say, but the reasons why are never clearly stated, which is more my question. Not necessarily challenging the common opinion, but no real reasons are ever given, just the "party line". Which feature it's missing to make it on par with other choices is something your comment starts to point out.

@iowawizkid1 Жыл бұрын

For the SMB, I feel you are missing the boat by not including WATCHGUARD.

@H3kler 6 ай бұрын

I'd be interest to hear your thoughts on Palo Alto Networks products.

@LAWRENCESYSTEMS 6 ай бұрын

They work well

@markus711 11 ай бұрын

Anyone know which Firewall can handle vlan-tagged PPPoE, with speeds over 900 Mbps?

@89tsupra 10 ай бұрын

What firewall do you recommend for a PPPoe 3Gbps+ fiber connection?

@LAWRENCESYSTEMS 10 ай бұрын

I never use PPPoe so I don't have any suggestions

@89tsupra 10 ай бұрын

@@LAWRENCESYSTEMS Thank you for your reply. I know Pfsense supports it but its not quick since its a single threaded process.

@skaterpunk0187 Жыл бұрын

Sophos is pretty rock solid. Prior to Sophos XG it had a very steep learning curve. I've used it since it was Astaro Security Gateway then Sophos UTM. I still have a few of the Astaro AP's.

@TheDrew2022 Жыл бұрын

I actually found the opposite. I had a hard time adjusting to XG as I was used to UTM's way of doing things, partly because I'd used it since v4, but also because UTM's setup felt like a GUI overtop of tools I'd already used managing Linux systems, which in some sense it was at least early on.

@abe6215 Жыл бұрын

Switching to sophos XG from Meraki has been a very bad experience for us

@HisLoveArmy Жыл бұрын

Same. SG interface and features still better than the XG

@DavidSondermann Жыл бұрын

Long term Sophos/Astaro UTM User here. I finally migrated from UTM to XG in my Homelab environment and the first steps were pretty wonky for me. I adjusted to the new UI quickly and can't imagine going back to the olf UTM. Sadly I've got some problems with the XG lately. Daily mails about the log threshold/disk space. The VM has 150gb... My UTM worked with a 80gb SSD.

@M.4y Жыл бұрын

Sadly the UTM is EOL now. The XG Webinterface is trash

@arthurtecpc Жыл бұрын

I missed of the SonicWall and Sophos on the list. Any way is excellent video Lawrence.

@arthurtecpc Жыл бұрын

Sorry Sopho is on the list. I really would like see the Mikrotik on the list.

@JzJad Жыл бұрын

SonicWall would be an expensive demo

@Traumatree Жыл бұрын

@@JzJad For what it's worth, it is a waste of time and money.

@Traumatree Жыл бұрын

@@arthurtecpc Microtik bastardized way to doing things is why people are not using it. Their prices is good, but that's it.

@JzJad Жыл бұрын

@@Traumatree sadly I'd have to agree l, having deployed them for 5 years, obviously not my choice.

@HisLoveArmy Жыл бұрын

I don't get why pf sense doesn't have any easy way to do content filtering. Even if it's paid the option would be nice. How come all the others can do it easily? I use sophos and that's the main reason why. They are reliable and can block a ton of apps.

@canadianwildlifeservice8883 Жыл бұрын

It has Zenarmor now.

@OPatron24 Жыл бұрын

love the shirt lol

@shadow.banned Жыл бұрын

What is the dummy mode firewall for non-networking dummies that still want privacy/security? Pihole?

@m47145gp Жыл бұрын

what do you think of endian firewall?

@tschnellbach Жыл бұрын

I uploaded 3 different messages and youtube deleted with no notifications after. What did I do wrong?

@LAWRENCESYSTEMS Жыл бұрын

KZfaq's spam detection system is a mystery to us creators as well, that is why I have forums.

@Wadmd Жыл бұрын

I'm a network guy joining the MSP space. Meraki, unifi, then other. Sophos and fortigate are out there, but meraki and unifi are better for use case. This is coming from a sonicwall and mikrotik background as well. Currently looking at araknis.