2023 Firewall Features Compared: pfsense | Arista | UniFi | Sophos | Fortinet

2023 Firewall Features Compared: pfsense | Arista | UniFi | Sophos | Fortinet | Meraki & What We Use

День тому

lawrence.video/firewallreview...
pfsense tutorials
lawrence.video/pfsense
UniFi Tutorials
lawrence.video/unifi
Christian Lempa Sohpos XG & other great videoes
• Protect your home netw...
Stacey on IOT Firewalla Review
staceyoniot.com/tag/firewalla/
The Network Berg MikroTik & Other Networking videos / @thenetworkberg
Connecting With Us
---------------------------------------------------
+ Hire Us For A Project: lawrencesystems.com/hire-us/
+ Tom Twitter 🐦 / tomlawrencetech
+ Our Web Site www.lawrencesystems.com/
+ Our Forums forums.lawrencesystems.com/
+ Instagram / lawrencesystems
+ Facebook / lawrencesystems
+ GitHub github.com/lawrencesystems/
+ Discord / discord
Lawrence Systems Shirts and Swag
---------------------------------------------------
►👕 lawrence.video/swag
AFFILIATES & REFERRAL LINKS
---------------------------------------------------
Amazon Affiliate Store
🛒 www.amazon.com/shop/lawrences...
UniFi Affiliate Link
🛒 store.ui.com?a_aid=LTS
All Of Our Affiliates that help us out and can get you discounts!
🛒 lawrencesystems.com/partners-...
Gear we use on Kit
🛒 kit.co/lawrencesystems
Use OfferCode LTSERVICES to get 10% off your order at
🛒 lawrence.video/techsupplydirect
Digital Ocean Offer Code
🛒 m.do.co/c/85de8d181725
HostiFi UniFi Cloud Hosting Service
🛒 hostifi.net/?via=lawrencesystems
Protect you privacy with a VPN from Private Internet Access
🛒 www.privateinternetaccess.com...
Patreon
💰 / lawrencesystems
⏱️ Time Stamps ⏱️
00:00 Firewall Comparison Chart
00:48 How We Made The List
02:15 pfsense CE VS pfsense plus
03:02 What About OPNsense
04:28 The Chart of Firewalls, pfsense, Arista Untangle, UniFI, Fortigate, Sophos, Meraki
06:20 Virtualization support
06:51 Central Management
08:17 Web Management Interfaces
08:51 License Fees
10:36 High Availability
10:56 BGP/OSPF
11:37 SDWAN
11:54 OpenVPN, Wireguard, L2TP, & IPSEC Support
14:38 Tailscale
15:15 IDS/IPS Traffic Inspection
16:31 Web Content Filtering DPI & SSL Inspection
17:24 DNS Filtering
18:21 Traffic Shaping
18:40 Multi WAN
19:22 Active Directory Integration
19:44 Policy Routing
20:20 Firewall Rules Based on Active Directory
20:50 Reverse Proxy & Let's Encrypt
22:52 Captive Portal
23:20 Traffic Reporting
24:00 VLAN Support
#firewall #networking #security

КОМЕНТАРІ: 429

@LAWRENCESYSTEMS Рік тому

A few notes: The Fortinet DOES have a reverse proxy (not just load balancer) The Sophos DOES support Let's Encrypt for their web interface.

@SmoothOper4t0r Рік тому

FortiGate can be run as a virtual machine. What about Antivirus, Antispam, File Filter, SSL inspection, SD WAN, IPS that actually gets the job done? This is really limited list to only stuff that PfSense does.

@LAWRENCESYSTEMS Рік тому

You either did not watch the video or did not look at the comparison chart (probably both) because most of those features are on the list.

@SmoothOper4t0r Рік тому

@@LAWRENCESYSTEMS multiWAN is not SD-WAN. Antivirus or Antispam is not mentioned at all. The hard truth is that Open Source firewalls are really not that good when it comes to endpoint protection, from Antivirus, to content filtering, they are just too much to handle. Even then, they are not reliable. IPS is covered, sorry about that. Although, IPS with SSL enabled is whole another story.

@LAWRENCESYSTEMS Рік тому

Multiple wan and sdwan is on there. So is the SSL inspection. Are you even looking at the same chart? For someone trying to make their point about "The Hard Truth" of Open Source, not reading the materials presented is not helping your credibility.

@GT500Shlby Рік тому

@SmoothOper4t0r You don’t need endpoint protection, thats what Cylance/Crowdstrike/Sentinel One is for. Same with the SEIM, let the soc handle it, but it as a service that just works and check it off your insurance form. Then get Threatlocker.

@DPCTechnology Рік тому

Great stuff! would love this to be an annual thing. Great reference!

@connorfreebairn6537 Рік тому

Really appreciate the run down. Comparing firewalls is hard at the best of times, happy you made this video. (The sheet could be a very useful resource in the future) 👍

@aimestereo Рік тому

Thanks pal, great help on this topic!

@nicoribeiro23 Рік тому

Most wanted video for quite some time. Thanks Lawrence

@danroot84 Рік тому

Lol just fyi his name is Tom Lawrence.

@stevenmishos Рік тому

4 minutes of disclaimers so Tom doesn't have to deal with, "why not xyz?" ... will still be asked, "why not xyz?".

@LAWRENCESYSTEMS Рік тому

Yes, but all those comments do help the YoutTube algorithm know that people find this content engaging!

@josealfredfernandes Місяць тому

Which is the best? Is it Sophos?@@LAWRENCESYSTEMS

@LAWRENCESYSTEMS Місяць тому

@@josealfredfernandes The best one is the one that fits all your needs.

@ronnie141z Рік тому

Thanks for the video Tom, just a quick correction though, you might want to rename the 'Operating System' row to 'Kernel'. Keep up the great work, I enjoy your videos a lot!

@pest86 Рік тому

I was using pfsense for 5+ years and recently started having issues with rule schedules not blocking what I need to. Switched to opnsense and was amazed - issues are gone and I live in 2023 now, not in 2000 pfsense web UI stuck into. Very happy with it and would say it is worth trying

@angelgonzalez2379 Рік тому

Didn't realize the guis were that different. I haven't had any issues with pfsense yet, but I might spin up opensense just to see what I might be missing.

@TheFibie007 Рік тому

Am interested in a bit more specification if you don't mind. Maybe I'd have to look into this.

@pest86 Рік тому

@@TheFibie007 i have some ips that should be restricted going outside based on schedule. I've created 2 rules - one to block always and another to allow on specific schedule. Its been working for years but latest update broke it. I've been using home Plus licence. Rules just stopped working - schedule was ignored. The only way to enforce the rule was to reboot pfsense. Client wifi reconnection and even reboot didnt do anything. To illustrate, rule allows connection but client cant connect, pfsense rebooted - client can connect. Then rule does not allow connection but client still can connect even connecting to the lan after the disabling rule in effect, again pfsense reboot is the only way to enforce it

@geepeezee5030 Рік тому

I actually prefer the pfsense ui. It seems more logically laid out, at least in my mind. Opnsense's ui is more "modern" looking but not necessarily better. On the same browser it is is slower to navigate between screens. Also, the gray colored font is harder to read than pf's more contrasting colors. Regarding the scheduling issue, likely a pfsense bug that needs to be fixed. This is version 23.01. By 23.10 hopefully most bugs will be fixed. Learned a long long time ago to never update to the newest version right away. Give it at least 6 months before even considering testing it.

@pest86 Рік тому

@@geepeezee5030 pfsense UI is usable, no doubt. I prefer opnsense UI but it's a personal taste. I haven't upgraded straight away, gave it a couple of months from the release. Rather than reinstall I've decided to try opnsense and, as I've mentioned, not looking back

@lumarel Рік тому

I was kind of a long time user of pfsense, and still use it for old testing environments, but at one point I got a Mikrotik Router, that has served me very well for any needed advanced firewall configurations, as well as VPN endpoints.

@minigpracing3068 Рік тому

RouterOS has a lot of good features inside.

@jzcalderon 8 місяців тому

Except when you need Ipsec VTI 😅

@tillburn Рік тому

Awesome! Love the shirt Tom.

@_R_o_n_a_l_d_ 7 місяців тому

Long term Meraki user here, I even have 4 years and 299 days left on my licenses, but recently I moved to Pfsense. Main reason for ditching the Meraki MX64 firewall is that we've outgrown it. Being limited at 250Mbit on the WAN side is a 50% reduction of my internet speed (the ISP does give use a "free" speed increase every year or so). After having tested Pfsense as a VM on a Synology DS1621+ for a week, I bought the Netgate box. So last Friday I received my Netgate 6100 (with 4 years hardware support contract). Man am I blown away by it. Yes Meraki has some nifty features, though I don't think I'll miss them that much on our home network. Im quite certain the Netgate box will serve us well for the next few years.

@r000tbeer Рік тому

Thanks for this!

@floodo1 Рік тому

Eyyyy perfect timing TY

@davidyoder5890 Рік тому

I've been using Untangle since it was a Windows app (yes, you read that correctly), and I absolutely love it. No product is without it's downfalls, but Untangle has been rock solid for me for at least 10 years. One of my production edge devices running Untangle is about 70 days away from 3yrs of uptime!

@yeoldestonecats5025 Рік тому

I do remember the demo app for Windows. For us, partners since version 5.01, I think back to 2007 or even 2006. A few years ago did a few writeups on Untangle for a few tech websites. Had a LOT of them out there in production, however my view of UTMs being super important for businesses is easing up, I'm focusing more on PDNS now. Also not confident in the direction Arista is taking Untangle.

@miles267 Рік тому

Same. Have used Sophos UTM, Sophos XG, pfsense and Untangle and ultimately Untangle NGFW (latest). Untangle the best of the bunch.

@thighdude7 Рік тому

Thank you for this informative and unbiased content!

@samadams4582 Рік тому

Technically, Meraki does have the vMX, which you can run virtualized. However, most people tend to use the Meraki hardware. The vMX is mostly for Cloud environments.

@_R_o_n_a_l_d_ 8 місяців тому

a vMX is only capable of facilitating VPN connections

@amberayohester9196 6 місяців тому

Nice Content, Thank you

@zparihar Рік тому

Great video Tom! I would add 2 things to the list: 1. API 2. OPENVPN With LDAP/AD integration (and bonus of the have 2FA 3. VxLAN The reason I moved over to OPNsense from pfSense was because of API support for firewall rule and network automation and VxLAN. VxLAN support is definitely more nuanced, but I'm getting more involved in hyperconverged virtualization. Yes, I don't like how often OPNsense updates either...

@LAWRENCESYSTEMS Рік тому

Line 24 covers #2 and API would be a debate on how functional that API is. VXLAN is not really used in the SMB space and rarely in the homelab space.

@zparihar Рік тому

@@LAWRENCESYSTEMS Hi Tom, I was referring to the distinction between users in AD/LDAP Firewall appliance Login and users in AD/LDAP OpenVPN on the Firewall appliance Login. For example, in pfSense, i can set up LDAP as my authentication server and then get my LDAP users to log into OpenVPN running on the appliance and authenticating against the LDAP server. Can that be done in Unifi alliances?

@LAWRENCESYSTEMS Рік тому

Not sure how well that works with UniFI.

@proxykid567 Рік тому

Actually I do prefer the speed of the updates, as well as all the other reasons mentioned, main reason why I also moved to opnSense, and assisted 3 companies in migrating to it coming from pfSense.

@redheelerdog Рік тому

Great review Tom, very informative, thanks.

@segdesc Рік тому

It's missing Cisco Firepower (FTD), the new version 7.3 has some really neat features like EVE (Encrypted Visibility Engine), which allows the device to watch for malware within encrypted traffic without the need to decrypt it.

@engrpiman Рік тому

My employer has always purchased meraki direct though CDW / Insight so I don't know if they are going awound MSPs. The license seems to also be a support agreement as they have replaced dead APs with newer models a few times.

@brianclarke8503 3 місяці тому

Personally, I like Fortigate as a solid, easy to configure, affordable all-around FW for SMB and Large Enterprises. For home, while I would still prefer using Fortigate, I can see the use-case for PFSense if you need some common features that home users prefer like tailscale, wireguard, etc. With the small Fortigates being in the same price range as comparibly spec'd PFSense appliances, I usually just go for Fortigate in most scenarios. You only need to pay for licensing if you're looking to unlock Layer7 features.

@thetrevster14 Рік тому

The Fortigate does have WAF/reverse proxy. You can turn the feature toggle on for it to display the options in the GUI to configure it.

@LAWRENCESYSTEMS Рік тому

Yes, I updated the chart.

@DjRio0001 Рік тому

@@LAWRENCESYSTEMS FG also can run on VMs and containers.

@LAWRENCESYSTEMS Рік тому

@@DjRio0001 Yes, that was noted in the video under "Can Be Virtualized"

@eXdriver23 Рік тому

I have a question about PFSense and Unifi. I took your advice from watching you video's and ordered a Netgate 4100 Max and I want to order some Unifi switch, access points and cameras. I want to also order a Dream Machine SE to make it easier to control the cameras for home use. Would you recommend using a Dream Machine with PFSense or would you recommend using a different solution to control and capture video for my cameras?

@petermuller608 Рік тому

You are looking good! Did you do something to your hear?

@bsem68 Рік тому

Great video. I would like some more info how you configure customer pfsense to vpn back to you and coordinate them all in regards to centralized management.

@LAWRENCESYSTEMS Рік тому

I'll make a video on that soon

@tappys15 Рік тому

I would like to see this too please!

@viecus Рік тому

For the most part, the best firewall is the one you know how to configure well... No point having a $10000 firewall if you don't turn any of the features on!

@bblancoftb Рік тому

I just upgraded my home internet connection to 3Gbps, and have been thinking about upgrading my firewall(NetGate xg7100) to add 10G support. I really like the netgate products, but they don't seem to have a solution. So either I buy a 10G switch and media converter(since the xg7100 doesn't support copper sfp+ modules) or upgrade the firewall. Curious to hear your recommendation.

@ThisIsTenou Рік тому

I think MikroTik's RouterOS would've been a nice addition to the chart as well, just for all the homelab peeps.

@LAWRENCESYSTEMS Рік тому

I don't use them but they are inexpensive but also have a steep learning curve due to lacking documentation.

@ThisIsTenou Рік тому

@@LAWRENCESYSTEMS @Lawrence Systems I agree. There's documentation, but it's really lacking in some regards. How to do specific things also changes from model to model due to differing underlying hardware sometimes, which isn't nice. However, if all you need is a L4 firewall and router, they're extremely capable and, in comparison, quite cheap.

@ant1instant570 Рік тому

What's your thoughts on the extra advanced threat/malware detections feature that some firewalls are preaching? Is there something similar to pfsense?

@ProjectUnknowEddi Рік тому

to the Sophos - I loved their old SG (Astaro-ish) Version that were a dream to work with. Now I'm doing XG and I hate it. They also charge for Updates now, even if I have already got the Network Protection licence for 5y, they now want me to pay extra. As it's an Intel based XG230, I will reinstall it with opnsense or just plane arch linux.

@not12listen Рік тому

This was a nice breakdown! I've used Meraki a few years ago and it was very 'hands off, you tech, leave it to us!' - which was frustrating. I've been on IPFire for several years now and think it would be great firewall to have on your next roundup. I cannot speak to it's viability in terms of business usage, as I use it for my home network, but would be surprised it if would not hold it's own.

@LAWRENCESYSTEMS Рік тому

Not likely that I will use it as it does not offer any compelling features over pfsense.

@rklauco Рік тому

Great video!

@davelloyd- Рік тому

The thing that seems hard to find is decent reporting - I want to know how much data each of my devices is using, and also break it down by major apps [eg, 100GB of netflix, 80 of which from this device, 20 from that device). I made the mistake of buying a sophos XGS 87w and finding that it does not do local reporting and the cloud reporting is lacking - the fan also is way too loud from home. It lasted about 7 weeks before being packed back in its box never to be used again. Currently trying pfsense on an old Dell sff pc - and meh; BandwidthD cna give totals per device, but nothing about apps, darkstat doesn't seem useful at all and ntopng is complicated and not convinced it's going to gimme what I want. Some of the options (like Arista) I'd never even heard of before so gives me something to look at anyway

@JonMajorCCIE47884 Рік тому

There actually is a virtual option for Meraki! Meraki vMX, for 'private cloud' it looks like you need Cisco NFVIS. Looks like hot trash, but thought I'd mention it. Great stuff Tom.

@_R_o_n_a_l_d_ Рік тому

Meraki vmx only does vpn.

@JonMajorCCIE47884 Рік тому

@@_R_o_n_a_l_d_ Oh really? When I last deployed one I swear you could run it in NAT mode and it behaved like any other MX. It's been a minute though.

@FireBean8504 Рік тому

Cannot wait for you to try Palo Alto firewalls!

@zeroibis Рік тому

The firewall rule based on AD would actually be a great future feature for pfSense. Hopefully it is something we will see down the road.

@Traumatree Рік тому

After the central management feature :)

@jimmymifsud1 Рік тому

@@Traumatree cloud management, the. LDAP

@chrisslaunwhite9097 Рік тому

@@Traumatree If they did this i would sell boatloads, but now with 20 or so in the wild its just too much to manage...

@jorgeaguirresuri Рік тому

if we are talking SMB .. those are ok, I even consider to use OPNsense or ever zentyal... but for more complex clients (like manage a lot of FW, or do some specials things, etc) we are talking about Palo alto, checkpoint , fortinet, cisco ASA,etc .. BTW: fortinet is unix like, not consider as linux ( cause it have its own kernel for their soc).

@tbard Рік тому

This. Especially the first three you mentioned. I am not sure if I'd consider ASA at the same level as the other three tho.

@bx1803 Рік тому

@@tbard PAN is the way to go for enterprise level NGFW.

@tbard Рік тому

@@bx1803 that'd be my choice too, I'm a PCNSE myself, but I do consider Fortinet a close second among the ones I had to work with. And there are some fringe cases where I'd rather pick Fortigate.

@justinc.2656 9 місяців тому

I really like working with Meraki but you have to prepare yourself (or at least management for the ongoing licensing costs.

@adamschimmel4070 Рік тому

I like the pfsense plusv feature to import openvpn client config😉

@GT500Shlby Рік тому

Would be interested in seeing how you used vpns for reliable remote access to firewalls. I have a few hundred pfSense firewalls in the wild. Managing them has been a chore.

@ShadowRaxx Рік тому

Another nice column would be log output format like CEF over Syslog etc

@thepcenthusiastchannel2300 Рік тому

At work, we use Meraki and Fortinet. At home, I use pfSense with custom hardware. I can't fault any of the three in terms of the product itself. Meraki is very easy and straightforward to use, we have all of our clients in one place and it's very easy to manage. Fortinet is more of a pain to manage but the firewall itself is very solid. It's easy to setup any type of VPN the units support as well. Tying either Meraki or Fortinet to AD for Auth is also very easy. I will say that I prefer pfSense but that's just me.

@Felix-ve9hs Рік тому

I didn't realize that Untangle is owned by Ariasta, I only really knew them fro their datacenter grade switches.

@ierosgr Рік тому

kind of irrelevant question but when you use pfsense (OPNsense and others)do you always have to turn the ISP's modem-router to bridge mode in order to pass through the connection to your custom machine running pfsense behind it? .Specially nowadays that all connections have voip it is even more difficult to do so, since many providers (at least in my country all of them) don t provide voip credentials to set it up your own. So you end up with double NAT and pfsense sees the internal ip address as the public one. On the other hand I don t think pfsense can act as a standalone modem so it needs one in front. Am I right? Thank you

@marcogenovesi8570 Рік тому

yes these are all firewall solutions not modems. To connect a modem you either do a double NAT or put the modem in bridge mode. Decent modems can do bridge mode or can be put in bridge mode by the ISP if you ask them

@ierosgr Рік тому

@@marcogenovesi8570 Thanks for the reply but (ahahah) you seem to have way more helpful ISPs there than us here in Greece (they act like a different government and try anything but to help client)

@tonkatuffnuts Рік тому

Fyi, I use custom feeds on our fortigates straight from MS-ISAC

@runge340 10 місяців тому

The FortiGates can also use its Let’s encrypt certificate for its SSL VPN and the VPN Webportal which is great

@williamgregoire9418 18 днів тому

Fortigate can run on your own hardware with the FortiGate VM

@Imphrox 8 місяців тому

Would've loved to see OPNsense. Also, sadly there's no automation capability comparison.

@davidbailey3289 11 місяців тому

Thanks for the review. Any chance you ever so a review of antivirus that works well with this?

@LAWRENCESYSTEMS 11 місяців тому

I think you are asking about firewall based AV and I am not aware of any that are effective.

@jordanshear4753 3 місяці тому

Meraki is not allowed to sell directly, if a rep were to reach out to a customer, it is likely because the reseller is being negligent and not communicating. Controversial topic but the bottom line is; communication fixes all.

@chrish297 Рік тому

Excellent video and perfect timing. We are considering a new firewall.

@arthurascalon3867 Рік тому

Informative video... however, we use Sonicwall.

@battlefreek 5 місяців тому

Happy with Untangle/Arista for my customers since years and yes some parts are to be paid for the full version but you can choose not to.

@andriitarykin9567 Рік тому

what about WatchGuard? :-) I actually use their deprecated hardware for pfSense for a while

@blackshelbygt500kr Рік тому

Fortigates can do reverse proxy as well as waf. I run a have a Fortigate running a reverse proxy in my house right now.

@LAWRENCESYSTEMS Рік тому

Interesting all I found in their documentation was https load balancing which is not exactly the same as a reverse proxy.

@Faithhh071 Рік тому

@@LAWRENCESYSTEMS Haven't they all started to rename reverse proxies to load-balancers because it sells better? Technically load-balancers are just glorified reverse proxies.

@tombruton Рік тому

@@LAWRENCESYSTEMS virtual servers is there branding around that feature i admit it’s not clear at first glance

@LAWRENCESYSTEMS Рік тому

I updated the chart

@IkarosCanFly Рік тому

I surprised palo alto didnt make the list

@charlessloane Рік тому

Yes I agree. They are a major player in the market.

@taetschmeischter Рік тому

Checkpoint and Juniper for the big world 😂

@jetskisnowboardski Рік тому

Looking at the brands I’d say these are the small business options.

@ernestoditerribile Рік тому

@@taetschmeischter yep I truly love Juniper, IBM, HP Aruba and Cisco switches and Firewalls. Sophos and Fortinet are okay(though lots of Fortinets are not upgraded, so really easy to hack with MeraSploit. Unify has a great interface. PfSense is really complete and easy to install. The rest I don’t really know. So I will find out in this video. Haven’t started watching yet.

@ernestoditerribile Рік тому

Don’t use NetGate appliances for your firewalls. Use Quad or Octo Xeon CPU’s in your datacenters or Cisco 9300 series. Or Juniper SRX series. As soon as you go above 40 GBPS throughput, your speeds will suffer enormously. Made that mistake once at a client, who asked me to take a cheaper approach than the Cisco switches and firewalls I had in my first offer.

@dabneyoffermein595 5 місяців тому

if we keep snort & suricata (sorry for spelling) off initially after setting up a pfsense, is that a risk? in other words, should one of them be at least enabled at all times? or is the default setup wizard completion at least offering a bit of protection until we have the time window to try one of those packages and have our internet go up and down while testing them? thanks in advance so much!!!!

@LAWRENCESYSTEMS 5 місяців тому

Leaving then off is fine

@evelbsstudio Рік тому

Im looking at unifi udm pro, the se isnt worth the extra, i already have the poe injectors. I think udm pro is easier to setup etc than pfsense. The only thing i dont like about unifi is there slow at putting out patches and new features. I could virtualise pfsene i suppose.. aarrggh stuck between what to get now lol..

@mohammadqaisqurbany4251 11 місяців тому

It is now 2 years that I handle and manage FortiGate. I can say it can fulfill all the requirements of a business in a country level. Love this firewall

@Gentlemanspot Рік тому

would be good to see SAML/SSO support :p

@markus711 8 місяців тому

Anyone know which Firewall can handle vlan-tagged PPPoE, with speeds over 900 Mbps?

@apalrdsadventures Рік тому

How's IPv6 support on these - is the firewall / application filtering / ... at feature parity, or is it nonexistant? Internet suggestions are that Untangle isn't very good on this side, and other than pfSense / OPNsense being essentially at feature parity I'm not sure about the others.

@LAWRENCESYSTEMS Рік тому

I never have to use IPv6 so I didn't put it on the list.

@Knirin Рік тому

OPNsense works well with IPv6 on my admittedly small network. If you have or need IPv6 I suggest avoiding OpenWRT. You will probably not have a good experience. The difference in UI was a good chunk of the reason I chose OPNsense over pfsense.

@dcuccia Рік тому

Curious what the SMB uptake is for Firewalla (Understand why it's not here - I watched the video :))

@LAWRENCESYSTEMS Рік тому

I have links to reviews in the description, I really feel it's a consumer product and I find it odd that it uses a phone app for management.

@paulvancyber1979 Рік тому

i like watchguard! and pfsense

@89tsupra 8 місяців тому

What firewall do you recommend for a PPPoe 3Gbps+ fiber connection?

@LAWRENCESYSTEMS 8 місяців тому

I never use PPPoe so I don't have any suggestions

@89tsupra 8 місяців тому

@@LAWRENCESYSTEMS Thank you for your reply. I know Pfsense supports it but its not quick since its a single threaded process.

@spambucket1999 Рік тому

Meraki can be virtualized using their vMX service.

@kxpn Рік тому

I purchased a Mikrotik router about 30 days ago, absolutely horrible documentation, never did figure it out, am now switching to pfsense so much support unbelievable.

@etkasper Рік тому

It would be awesome if you could please do a video on Twingate as well, I am curious to know what you think. Thank you.

@LAWRENCESYSTEMS Рік тому

I don't really have any interested in Twingate, closed source VS TaialScale which is open source, more transparent, and has better documentation.

@johnb3616 Рік тому

So I have a question about the recent pfsense update……I have a sg-3100 which I know netgate stopped selling but when I try updating the software in my appliance I just keeps looping and doesn’t seem to update, should I just reset my appliance or is there donething to do to force the update to install?

@LAWRENCESYSTEMS Рік тому

Or you could do a fresh install with the latest version and reload

@johnb3616 Рік тому

@Lawrence Systems ah yeah, I didn't think about that. I just got frustrated, I guess. Thank you, I'll do that

@sufyankhanbest 9 місяців тому

What about Firtinet NGFW? currently I am using pfSense but would like to move on with other FW as squid is no more supported. Our main use is to block all website and certain website group-wise, and allowed all websites to Management.

@LAWRENCESYSTEMS 9 місяців тому

Due to more encryption being used today filtering at the firewalls for web traffic is more challenging than using a tool on the endpoint. We use Zoru for web filtering. Fortinet is a security mess ukposts.info/have/v-deo/b6N2fW5wfXd1lJc.html

@Stev.3n Рік тому

We primarily use SonicWall and Meraki but have a few Fortinet and Unifi we support. As of late I've started to hate the SonicWalls for some stability/bugs myself and other admins have encountered. Personally for homelab I like Unifi as well a pFsense for testing.

@LAWRENCESYSTEMS Рік тому

That is why I left Sonicwall off the list, I know many are using them, but no one stating they like them.

@jasper221176 Рік тому

We were a Sonicwall user...never go back, because of there aggressive way of selling.

@Redspence73 Рік тому

When dell bought Sonicwall years ago it was the beginning of the end for them, at least in my mind. Though truthfully I haven't touched one in quite a while.

@MoonWalkCTO Рік тому

@@LAWRENCESYSTEMS I have been using SonicWall for 20 years and they just keep getting better and better. I have hundreds of them running without a singe glitch. ever.

@christopheoudin3625 Рік тому

Great vidéo! What did you think about Mikrotik?

@LAWRENCESYSTEMS Рік тому

That they have a steep learning curve and lacking documentation

@iowawizkid1 Рік тому

For the SMB, I feel you are missing the boat by not including WATCHGUARD.

@H3kler 4 місяці тому

I'd be interest to hear your thoughts on Palo Alto Networks products.

@LAWRENCESYSTEMS 4 місяці тому

They work well

@GXShade Рік тому

I personally like your shirt

@minigpracing3068 Рік тому

I thought you also used Untangle for places that need web filtering? (edit, typed too soon)

@LAWRENCESYSTEMS Рік тому

We do, but not often as endpoint filtering is easier to manage.

@zika1022 Рік тому

I'm using PFsense tried to block some websites such as UKposts but not working using everything and PFblockng and firewall rules, could you explain why?

@0M9H4X_Neckbeard Рік тому

We've gone from pfSense -> Sophos XG -> FortiGate and the only addition I have to make that wasn't mentionrd is that Sophos' GeoIP filtering is entirely non-functional. They only support it in combination with their WAF (which is imo the main usecase) by doing a fake-NAT and it doesn't work at all. IPs show as an allowed country in the logs but are still blocked / matched by the NAT rule. Plus, the fact you have to use a fake NAT at all is hard to document and log. It's clearly a workaround and like I said - it also just doesn't work at all. No such issues or workarounds at all on the FortiGates

@SophosDACHSE Рік тому

This was an issue, which is already fixed within the System of SFOS. So if you block a Country, you can do it by using a firewall rule and block the access. If you have a WAF or Service, you need the NAT Rule, but it still blocks the traffic and logs this traffic accordingly.

@canadianwildlifeservice8883 Рік тому

Sophos does support Let's Encrypt certificates, but just not for SSL/TLS inspection. Note that there are currently two actively supported versions of the Sophos firewall: UTM and XG (the latter of which is now referred to as SFOS or simply as "Sophos Firewall".) Everything else is correct.

@geepeezee5030 Рік тому

Sophos's UTM does support LE directly from within the UI. XG (sfos) requires half assed scripts to get it to work. Ironically, UTM will no longer be sold after 6/2023 and going EOL entirely 6/2026. That's progress for you!

@canadianwildlifeservice8883 Рік тому

@@geepeezee5030 Sophos will be losing a lot of customers by eliminating the UTM. It's basically due to greed. They bought the competition (UTM was owned by Astaro) then killed it, after they bought XG which was owned by Cyberoam.

@geevee9728 Рік тому

IDS/IPS, Content Filtering, DNS filtering, GeoIP filtering So what features do they need to add to consider these as NGFW?

@LAWRENCESYSTEMS Рік тому

NGFW is whatever marketing says it is.

@geevee9728 Рік тому

@@LAWRENCESYSTEMS I only ask due to whenever the topic of cyber insurance comes up at work they always try to check off features of our pfsense against the mythical NGFW 🙂

@canadianwildlifeservice8883 Рік тому

NGFW traditionally means the firewall functions at all layers, including layer 7 of the OSI model (the application layer...the highest layer). It should perform application-level filtering. That is traditionally what "next-gen" means, however, how each firewall accomplishes this varies from one company to the next. So the firewalls like Sophos/Untangle/Fortinet perform filtering at the application layer and can be considered next-gen firewalls as they can block network data on the application level.

@urzu181 Рік тому

You've explained the exclusion of OPNsense and its totally agreeable, but you've missed out Mikrotik as well. A number of companies, and even ISPs, use Mikrotik. Not that I'm a fan of Mikrotik or anything in fact I've not used any of their products and I use more of pfSense/OPNsense and Sophos XG, but I believe Mikrotik should have a place in the list just like Unify.

@LAWRENCESYSTEMS Рік тому

I don't use them but and their steep learning curve and lack of documentation does not make me want too.

@jaimeb5550 7 місяців тому

I don't know what you're smoking - Mikrotik have to be one of the worst router/firewalls i've used in my career. As per Lawrence, they're a steep learning curve, not technically, but just interface wise.. Vendors do/name things slightly different but Mirkotik take the cake when it comes to confusing the hell out of you... Good luck troubleshooting complex setups on them.

@nelsonmaranonjr.537 Рік тому

Hi Tom, can you do a review on Zenarmor on Pfsense?

@LAWRENCESYSTEMS Рік тому

Nope, not something I plan on using

@TruWrecks Рік тому

I use ipfire and it so far is solid and smooth.

@LAWRENCESYSTEMS Рік тому

I was going to do a April fools videos reviewing one of the really old firewall distros I used to use but I ran out of time.

@Darkk6969 Рік тому

Good ole IPCop which is what IPFire is based on. Happy to see it's pretty active. I've moved to pfsense long time ago as I needed more enterprise like features.

@Foars989 Рік тому

i just wanna mention that the Sophos Home edition is only hardware limited (4cores & 6gb ram) you still get the entire software package free

@DavidSondermann Рік тому

True but it really doesn't matter in a home environment. I got over 250 clients in my network, about 40VLANs, 50ish rules, static routing, RED Connection to my cloud hosted XG, 10/40Gbit networking and I've never experienced any issues concerning the hardware limit.

@Foars989 Рік тому

@@DavidSondermann wasn't insinuating that it was a negative, just didn't want people to see Home Edition & think it would be heavily dumbed down vs the paid version. Been using it myself couple years with no issues

@OPatron24 Рік тому

love the shirt lol

@MactelecomNetworks Рік тому

Great video. I honestly think Unifi is the easiest vpn but I do use that the most. Next up would be PFsense

@LAWRENCESYSTEMS Рік тому

Their site to site is, their user VPN is lacking

@MactelecomNetworks Рік тому

@@LAWRENCESYSTEMS agree, UID is much easier . But most people won’t sign up for that and is a lot more steps

@abe6215 Рік тому

@@LAWRENCESYSTEMS have u tried UID?

@danandrews2650 Рік тому

May I ask why Sonicwall would not be included?

@LAWRENCESYSTEMS Рік тому

I don't know anyone that likes them, I have always found them to be a bit buggy.

@danandrews2650 Рік тому

@@LAWRENCESYSTEMS Hi Lawrence, appreciate your point of view , however, after using them about 10+ years for hundreds of customers I would have to disagree. I tried using Fortigate and thier products died after about 1 year. Support was not easy. Sonicwall support is excellent. Meraki is really expensive and too much for the SMB's I worked with. I would say if you havent tried them in the past couple years it may worth at least adding them to your list as they are reviewed on par with Fortigates. Appreciate the feedback. :)

@rickkephartactual7706 Рік тому

I started out with my pf flyers sneaker net firewall back in the 80's, you kids may not understand. I do not want to go back to those days, if was fun then but now, LOL no way.

@shadow.banned Рік тому

What is the dummy mode firewall for non-networking dummies that still want privacy/security? Pihole?

@Wadmd Рік тому

I'm a network guy joining the MSP space. Meraki, unifi, then other. Sophos and fortigate are out there, but meraki and unifi are better for use case. This is coming from a sonicwall and mikrotik background as well. Currently looking at araknis.

@skaterpunk0187 Рік тому

Sophos is pretty rock solid. Prior to Sophos XG it had a very steep learning curve. I've used it since it was Astaro Security Gateway then Sophos UTM. I still have a few of the Astaro AP's.

@TheDrew2022 Рік тому

I actually found the opposite. I had a hard time adjusting to XG as I was used to UTM's way of doing things, partly because I'd used it since v4, but also because UTM's setup felt like a GUI overtop of tools I'd already used managing Linux systems, which in some sense it was at least early on.

@abe6215 Рік тому

Switching to sophos XG from Meraki has been a very bad experience for us

@HisLoveArmy Рік тому

Same. SG interface and features still better than the XG

@DavidSondermann Рік тому

Long term Sophos/Astaro UTM User here. I finally migrated from UTM to XG in my Homelab environment and the first steps were pretty wonky for me. I adjusted to the new UI quickly and can't imagine going back to the olf UTM. Sadly I've got some problems with the XG lately. Daily mails about the log threshold/disk space. The VM has 150gb... My UTM worked with a 80gb SSD.

@M.4y Рік тому

Sadly the UTM is EOL now. The XG Webinterface is trash

@ericapelz260 Рік тому

I have been a home user of Untngle for a decade, but I am considering moving to pfSense. I would love a video going over how to plan a move like that with several VLANS, DHCP reservations etc.

@LAWRENCESYSTEMS Рік тому

There's no one to one transfer and are you using the web filtering on Untangle? There is no good equivalent in pfsense.

@bx1803 Рік тому

@@LAWRENCESYSTEMS use pihole for this.

@bertblankenstein3738 Рік тому

You could move dhcp services to another device like a raspberry pi. You could do that temporarily to make the move easier. Or perhaps you acquire a second hardware device and that set it up and then cut over at some point, at which time you find out if you got all the settings right.