Friday, January 19, 2018

Looking for some guidance on replacing our SonicWalls

First a little background. Currently we have SonicWall NSA 240s/TZ210s deployed at our office locations and NSA 3500s deployed at our primary/secondary datacenters. The primary method of connectivity between our sites is a MPLS WAN, but we do use the SonicWalls to provide backup VPN connectivity to our datacenters via broadband connections at each site in the event that the MPLS circuit is down. Because our network is not flat, we used tunnel interfaces with advanced routing (OSPF) enabled, as described here. The SonicWall at each site forms an OSPF adjacency with the local Cisco 2900 series ISR (which acts as the default gateway for the site, the uplink to our MPLS WAN, and as a voice gateway for CUCM, so these aren't going away). If the MPLS circuit drops then the local ISR drops the routes learned via the MPLS network, sees that those routes are available via the SonicWall (which it learned via OSPF by way of the VPN tunnel) and routes traffic accordingly. Again, because of the number of VLANs (some of which are stretched between our datacenters), the traditional site-to-site VPN where you have to define the subnets that are reachable on each side (or where they have to be local to the firewall) isn't a fit for us. Aside from a break in connectivity when the switchover happens, we are very happy with this solution.

Some of our SonicWalls are coming up on EoS, so it is time to look around at alternatives. The names that are on my radar are Palo Alto, Watchguard (because we have some staff that has experience with them, although I have my reservations based on the little I've seen), and ???

Palo Alto seems like it can do the route based VPNs based on what I've read here. On the Watchguard side it seems like maybe BOVPN is the equivalent functionality, maybe. I am leaning away from pfSense (because I don't like how everything is a bolt-on, i.e. Quagga, Snort), Fortinet (because of what I've read about performance and support), and Meraki (because of limited OSPF support). Also not a fan of Cisco ASA's (despite being a Cisco route/switch shop), but to be fair it's been a while since I've worked with one. Have I ruled out any that I shouldn't have? Are there any others I should look at? Price will not be the deciding factor and I am well aware of where PA falls on the price spectrum, but if I can get the functionality I want at a fraction of the cost then I'll listen.

In addition to supporting something similar to what we're doing today for WAN failover, the features we are looking for include:

  1. Performance/throughput - not sacrificing either, no matter what bells/whistles we turn on.
  2. Support - has to be top notch. No more "please reboot your firewall because the # days uptime is too high".
  3. IPS/IDS/Threat Prevention - needs to be able to identify/block/alert on legitimate threats, ideally without generating a load of false positives.
  4. Ease of management - say what you will about the SonicWalls, but I actually like their UI. We have a LOT of firewall/NAT rules and address objects, so being able to quickly sift through them is important.
  5. SSL VPN connectivity - used as a back-door by certain IT staff in case the primary remote access method (Citrix) is down.
  6. Management - some sort of centralized configuration management would be nice, but not a necessity.
  7. Any other "must have" "next gen" features that I may not be aware of because I've been living under the SonicWall rock for so long.

Also, the fact that our setup (MPLS plus broadband) at each location is ripe for a SD-WAN solution is not lost on me. I am just wondering if that is too much to bite off right now. A solution that would set us up to leverage SD-WAN 1-2 years down the road would be nice though... Our Cisco rep tells us that exciting things will be happening with the ISR line due to the Viptella acquisition, so maybe a wait and see approach is correct for now.

Lastly, if anyone has a VAR that they are particularly fond of for their product of choice (primarily because of the technical resources available), I'd like know that as well.

Thanks in advance.

TL;DR Looking to replace aging SonicWalls. Need something with robust OSPF capabilities, plus other bells whistles that we may not even know we are missing out on.



No comments:

Post a Comment