We have an SRX650, that is not doing so well. We've got approximately 1gbps or 2gbps going through it, plus VPNs and BGP running over those VPNs. It's sitting at 70% CPU usage most days, any traffic spikes really start to strain it. So I'm looking for a new firewall. It's for a data center, with no user traffic going through it, as in there's no users traffic for random internet browsing coming through this data center. There are users from the internet that connect to our servers in this data center but no users going out. Simply web servers serving requests, SMTP servers, etc. On that basis, I don't think I need all the anti-malware, etc type stuff that a UTM usually provides. The IPS does appeal to me though, it's a nice to have at this point. So basically, I've got the following requirements for the new firewall:
- Not Cisco
- Layer 7 capabilities (NGFW)
- Ease of adding firewall rules (We have a few server administrators who will be adding / removing firewall rules)
- Approx. 6gbps of throughput (includes VPN / BGP traffic)
- Preferably 10gbps ports
Based on this, I'm looking at Palo Alto, Juniper and Fortinet. My background is all Cisco and Juniper. I'm not clued up with Palo Alto and Fortinet firewalls. To be honest, I haven't had to buy a firewall new in years. Like several. I'm not asking for a rough comparison of vendors. Those are fairly easy to find online and figure out the whose who of firewalls (that's how I know to eliminate Cisco, also previous experience!). I've spoken to a few VARs and they seem to give me different answers, some telling me all are too small, go bigger! Etc.
The Juniper land device seems to be the SRX1500 with no IPS (The ordering code would be just a SRX1500-SYS-JE-AC). I believe that Juniper IPS is pretty crap anyway. I'd like to use the Layer 7 capabilities though, the AppID?
Palo Alto, the PA 3260 looks too small to fulfill these requirements, based on the 5gbps of Threat protection traffic. So I'd either have to go no-IPS and PA-3260 OR IPS and PA-5220. Is that correct? Would I simply need to add the ThreatProtection license to get a real IPS?
Fortinet, the Fortinet 600E seems to fit the bill. So the Fortinet FG-600E with a Threat Protection license only?
No comments:
Post a Comment