FortiGate can be run as a virtual machine. What about Antivirus, Antispam, File Filter, SSL inspection, SD WAN, IPS that actually gets the job done? This is really limited list to only stuff that PfSense does.
@@LAWRENCESYSTEMS multiWAN is not SD-WAN. Antivirus or Antispam is not mentioned at all. The hard truth is that Open Source firewalls are really not that good when it comes to endpoint protection, from Antivirus, to content filtering, they are just too much to handle. Even then, they are not reliable. IPS is covered, sorry about that. Although, IPS with SSL enabled is whole another story.
Multiple wan and sdwan is on there. So is the SSL inspection. Are you even looking at the same chart? For someone trying to make their point about "The Hard Truth" of Open Source, not reading the materials presented is not helping your credibility.
@SmoothOper4t0r You don’t need endpoint protection, thats what Cylance/Crowdstrike/Sentinel One is for. Same with the SEIM, let the soc handle it, but it as a service that just works and check it off your insurance form. Then get Threatlocker.
I was using pfsense for 5+ years and recently started having issues with rule schedules not blocking what I need to. Switched to opnsense and was amazed - issues are gone and I live in 2023 now, not in 2000 pfsense web UI stuck into. Very happy with it and would say it is worth trying
Didn't realize the guis were that different. I haven't had any issues with pfsense yet, but I might spin up opensense just to see what I might be missing.
@@TheFibie007 i have some ips that should be restricted going outside based on schedule. I've created 2 rules - one to block always and another to allow on specific schedule. Its been working for years but latest update broke it. I've been using home Plus licence. Rules just stopped working - schedule was ignored. The only way to enforce the rule was to reboot pfsense. Client wifi reconnection and even reboot didnt do anything. To illustrate, rule allows connection but client cant connect, pfsense rebooted - client can connect. Then rule does not allow connection but client still can connect even connecting to the lan after the disabling rule in effect, again pfsense reboot is the only way to enforce it
I actually prefer the pfsense ui. It seems more logically laid out, at least in my mind. Opnsense's ui is more "modern" looking but not necessarily better. On the same browser it is is slower to navigate between screens. Also, the gray colored font is harder to read than pf's more contrasting colors. Regarding the scheduling issue, likely a pfsense bug that needs to be fixed. This is version 23.01. By 23.10 hopefully most bugs will be fixed. Learned a long long time ago to never update to the newest version right away. Give it at least 6 months before even considering testing it.
@@geepeezee5030 pfsense UI is usable, no doubt. I prefer opnsense UI but it's a personal taste. I haven't upgraded straight away, gave it a couple of months from the release. Rather than reinstall I've decided to try opnsense and, as I've mentioned, not looking back
Really appreciate the run down. Comparing firewalls is hard at the best of times, happy you made this video. (The sheet could be a very useful resource in the future) 👍
I was kind of a long time user of pfsense, and still use it for old testing environments, but at one point I got a Mikrotik Router, that has served me very well for any needed advanced firewall configurations, as well as VPN endpoints.
Thanks for the video Tom, just a quick correction though, you might want to rename the 'Operating System' row to 'Kernel'. Keep up the great work, I enjoy your videos a lot!
Personally, I like Fortigate as a solid, easy to configure, affordable all-around FW for SMB and Large Enterprises. For home, while I would still prefer using Fortigate, I can see the use-case for PFSense if you need some common features that home users prefer like tailscale, wireguard, etc. With the small Fortigates being in the same price range as comparibly spec'd PFSense appliances, I usually just go for Fortigate in most scenarios. You only need to pay for licensing if you're looking to unlock Layer7 features.
Long term Meraki user here, I even have 4 years and 299 days left on my licenses, but recently I moved to Pfsense. Main reason for ditching the Meraki MX64 firewall is that we've outgrown it. Being limited at 250Mbit on the WAN side is a 50% reduction of my internet speed (the ISP does give use a "free" speed increase every year or so). After having tested Pfsense as a VM on a Synology DS1621+ for a week, I bought the Netgate box. So last Friday I received my Netgate 6100 (with 4 years hardware support contract). Man am I blown away by it. Yes Meraki has some nifty features, though I don't think I'll miss them that much on our home network. Im quite certain the Netgate box will serve us well for the next few years.
Great video Tom! I would add 2 things to the list: 1. API 2. OPENVPN With LDAP/AD integration (and bonus of the have 2FA 3. VxLAN The reason I moved over to OPNsense from pfSense was because of API support for firewall rule and network automation and VxLAN. VxLAN support is definitely more nuanced, but I'm getting more involved in hyperconverged virtualization. Yes, I don't like how often OPNsense updates either...
@@LAWRENCESYSTEMS Hi Tom, I was referring to the distinction between users in AD/LDAP Firewall appliance Login and users in AD/LDAP OpenVPN on the Firewall appliance Login. For example, in pfSense, i can set up LDAP as my authentication server and then get my LDAP users to log into OpenVPN running on the appliance and authenticating against the LDAP server. Can that be done in Unifi alliances?
Actually I do prefer the speed of the updates, as well as all the other reasons mentioned, main reason why I also moved to opnSense, and assisted 3 companies in migrating to it coming from pfSense.
I've been using Untangle since it was a Windows app (yes, you read that correctly), and I absolutely love it. No product is without it's downfalls, but Untangle has been rock solid for me for at least 10 years. One of my production edge devices running Untangle is about 70 days away from 3yrs of uptime!
I do remember the demo app for Windows. For us, partners since version 5.01, I think back to 2007 or even 2006. A few years ago did a few writeups on Untangle for a few tech websites. Had a LOT of them out there in production, however my view of UTMs being super important for businesses is easing up, I'm focusing more on PDNS now. Also not confident in the direction Arista is taking Untangle.
Great video. I would like some more info how you configure customer pfsense to vpn back to you and coordinate them all in regards to centralized management.
Technically, Meraki does have the vMX, which you can run virtualized. However, most people tend to use the Meraki hardware. The vMX is mostly for Cloud environments.
For the most part, the best firewall is the one you know how to configure well... No point having a $10000 firewall if you don't turn any of the features on!
@@LAWRENCESYSTEMS @Lawrence Systems I agree. There's documentation, but it's really lacking in some regards. How to do specific things also changes from model to model due to differing underlying hardware sometimes, which isn't nice. However, if all you need is a L4 firewall and router, they're extremely capable and, in comparison, quite cheap.
to the Sophos - I loved their old SG (Astaro-ish) Version that were a dream to work with. Now I'm doing XG and I hate it. They also charge for Updates now, even if I have already got the Network Protection licence for 5y, they now want me to pay extra. As it's an Intel based XG230, I will reinstall it with opnsense or just plane arch linux.
There actually is a virtual option for Meraki! Meraki vMX, for 'private cloud' it looks like you need Cisco NFVIS. Looks like hot trash, but thought I'd mention it. Great stuff Tom.
@@MoD_Master_Of_Disaster_ Oh really? When I last deployed one I swear you could run it in NAT mode and it behaved like any other MX. It's been a minute though.
It's missing Cisco Firepower (FTD), the new version 7.3 has some really neat features like EVE (Encrypted Visibility Engine), which allows the device to watch for malware within encrypted traffic without the need to decrypt it.
Would be interested in seeing how you used vpns for reliable remote access to firewalls. I have a few hundred pfSense firewalls in the wild. Managing them has been a chore.
if we are talking SMB .. those are ok, I even consider to use OPNsense or ever zentyal... but for more complex clients (like manage a lot of FW, or do some specials things, etc) we are talking about Palo alto, checkpoint , fortinet, cisco ASA,etc .. BTW: fortinet is unix like, not consider as linux ( cause it have its own kernel for their soc).
@@bx1803 that'd be my choice too, I'm a PCNSE myself, but I do consider Fortinet a close second among the ones I had to work with. And there are some fringe cases where I'd rather pick Fortigate.
Love your videos Tom! I would love to see a video where you talk about the difference in the security architecture of something like Snort or Suricata with PFSense, versus ATP+UTM services provided by companies like Fortinet, Sophos, Meraki, Sonicwall, Palo Alto, etc. I am just getting back into PFSense after a few years off, and I'm honestly wondering how far things have come to make open-source(ish) firewalls more like "NGFW" systems that always have paid licenses, or things like Sophos Endpoint.
@@LAWRENCESYSTEMS Ok thanks. I did a lot of searching and reading about that before watching your video here, but I could not find anything. If you know where I can read or watch any videos about that I would love some links or recommendations!
@@radiowolf80211 Cisco owns Snort so that connection is easy, UniFi uses Suricata, there is not really any documentation other than when people SSH into these devices.
I purchased a Mikrotik router about 30 days ago, absolutely horrible documentation, never did figure it out, am now switching to pfsense so much support unbelievable.
Thank you for the video Curious on your take of Araknis Networks Routers, I use them at smaller clients setups Good price point, super nice builds, 2 year hardware warranty lifetime support and firmware updates with no license fees at all I usually get the full suite, Router, Switches, AP's and it works with OvrC a web based control portal for free, there are no monthly's on anything Araknis, which I and my clients appreciate.
We've gone from pfSense -> Sophos XG -> FortiGate and the only addition I have to make that wasn't mentionrd is that Sophos' GeoIP filtering is entirely non-functional. They only support it in combination with their WAF (which is imo the main usecase) by doing a fake-NAT and it doesn't work at all. IPs show as an allowed country in the logs but are still blocked / matched by the NAT rule. Plus, the fact you have to use a fake NAT at all is hard to document and log. It's clearly a workaround and like I said - it also just doesn't work at all. No such issues or workarounds at all on the FortiGates
This was an issue, which is already fixed within the System of SFOS. So if you block a Country, you can do it by using a firewall rule and block the access. If you have a WAF or Service, you need the NAT Rule, but it still blocks the traffic and logs this traffic accordingly.
How's IPv6 support on these - is the firewall / application filtering / ... at feature parity, or is it nonexistant? Internet suggestions are that Untangle isn't very good on this side, and other than pfSense / OPNsense being essentially at feature parity I'm not sure about the others.
OPNsense works well with IPv6 on my admittedly small network. If you have or need IPv6 I suggest avoiding OpenWRT. You will probably not have a good experience. The difference in UI was a good chunk of the reason I chose OPNsense over pfsense.
This was a nice breakdown! I've used Meraki a few years ago and it was very 'hands off, you tech, leave it to us!' - which was frustrating. I've been on IPFire for several years now and think it would be great firewall to have on your next roundup. I cannot speak to it's viability in terms of business usage, as I use it for my home network, but would be surprised it if would not hold it's own.
@@taetschmeischter yep I truly love Juniper, IBM, HP Aruba and Cisco switches and Firewalls. Sophos and Fortinet are okay(though lots of Fortinets are not upgraded, so really easy to hack with MeraSploit. Unify has a great interface. PfSense is really complete and easy to install. The rest I don’t really know. So I will find out in this video. Haven’t started watching yet.
Don’t use NetGate appliances for your firewalls. Use Quad or Octo Xeon CPU’s in your datacenters or Cisco 9300 series. Or Juniper SRX series. As soon as you go above 40 GBPS throughput, your speeds will suffer enormously. Made that mistake once at a client, who asked me to take a cheaper approach than the Cisco switches and firewalls I had in my first offer.
True but it really doesn't matter in a home environment. I got over 250 clients in my network, about 40VLANs, 50ish rules, static routing, RED Connection to my cloud hosted XG, 10/40Gbit networking and I've never experienced any issues concerning the hardware limit.
@@DavidSondermann wasn't insinuating that it was a negative, just didn't want people to see Home Edition & think it would be heavily dumbed down vs the paid version. Been using it myself couple years with no issues
I'm myself a IT Security Engineer. The Video was pretty good. Sadly no PaloAlto was in the comparison. Personaly i worked with the old Sophos UTM wich in my opinion had the best UI for new user. The new XG is a step but in the wrong direction. Therefore we switched to FortiGate wich are prety nice. My Homelab is based of a 80F. But the PaloAlto is kind of my favourite FW. And one thing i have to say, no FW sould have a mailfilter or reverseproxy because there are way better products like the Netscaler and the IronPort.
Netscaler are for big companies that has A LOT of stuff that people can access - and is mostly a thing of the past unless your are vendor locked-in and forced to host your own stuff. In today's space, most company should probably host their services on Azure/AWS/Google and benefit from their own netscaling infrastructures that no one can challenge.
At work, we use Meraki and Fortinet. At home, I use pfSense with custom hardware. I can't fault any of the three in terms of the product itself. Meraki is very easy and straightforward to use, we have all of our clients in one place and it's very easy to manage. Fortinet is more of a pain to manage but the firewall itself is very solid. It's easy to setup any type of VPN the units support as well. Tying either Meraki or Fortinet to AD for Auth is also very easy. I will say that I prefer pfSense but that's just me.
The thing that seems hard to find is decent reporting - I want to know how much data each of my devices is using, and also break it down by major apps [eg, 100GB of netflix, 80 of which from this device, 20 from that device). I made the mistake of buying a sophos XGS 87w and finding that it does not do local reporting and the cloud reporting is lacking - the fan also is way too loud from home. It lasted about 7 weeks before being packed back in its box never to be used again. Currently trying pfsense on an old Dell sff pc - and meh; BandwidthD cna give totals per device, but nothing about apps, darkstat doesn't seem useful at all and ntopng is complicated and not convinced it's going to gimme what I want. Some of the options (like Arista) I'd never even heard of before so gives me something to look at anyway
kind of irrelevant question but when you use pfsense (OPNsense and others)do you always have to turn the ISP's modem-router to bridge mode in order to pass through the connection to your custom machine running pfsense behind it? .Specially nowadays that all connections have voip it is even more difficult to do so, since many providers (at least in my country all of them) don t provide voip credentials to set it up your own. So you end up with double NAT and pfsense sees the internal ip address as the public one. On the other hand I don t think pfsense can act as a standalone modem so it needs one in front. Am I right? Thank you
yes these are all firewall solutions not modems. To connect a modem you either do a double NAT or put the modem in bridge mode. Decent modems can do bridge mode or can be put in bridge mode by the ISP if you ask them
@@marcogenovesi8570 Thanks for the reply but (ahahah) you seem to have way more helpful ISPs there than us here in Greece (they act like a different government and try anything but to help client)
Meraki is not allowed to sell directly, if a rep were to reach out to a customer, it is likely because the reseller is being negligent and not communicating. Controversial topic but the bottom line is; communication fixes all.
I have been a home user of Untngle for a decade, but I am considering moving to pfSense. I would love a video going over how to plan a move like that with several VLANS, DHCP reservations etc.
You could move dhcp services to another device like a raspberry pi. You could do that temporarily to make the move easier. Or perhaps you acquire a second hardware device and that set it up and then cut over at some point, at which time you find out if you got all the settings right.
It is now 2 years that I handle and manage FortiGate. I can say it can fulfill all the requirements of a business in a country level. Love this firewall
@@LAWRENCESYSTEMS Haven't they all started to rename reverse proxies to load-balancers because it sells better? Technically load-balancers are just glorified reverse proxies.
I have a question about PFSense and Unifi. I took your advice from watching you video's and ordered a Netgate 4100 Max and I want to order some Unifi switch, access points and cameras. I want to also order a Dream Machine SE to make it easier to control the cameras for home use. Would you recommend using a Dream Machine with PFSense or would you recommend using a different solution to control and capture video for my cameras?
You've explained the exclusion of OPNsense and its totally agreeable, but you've missed out Mikrotik as well. A number of companies, and even ISPs, use Mikrotik. Not that I'm a fan of Mikrotik or anything in fact I've not used any of their products and I use more of pfSense/OPNsense and Sophos XG, but I believe Mikrotik should have a place in the list just like Unify.
I don't know what you're smoking - Mikrotik have to be one of the worst router/firewalls i've used in my career. As per Lawrence, they're a steep learning curve, not technically, but just interface wise.. Vendors do/name things slightly different but Mirkotik take the cake when it comes to confusing the hell out of you... Good luck troubleshooting complex setups on them.
My employer has always purchased meraki direct though CDW / Insight so I don't know if they are going awound MSPs. The license seems to also be a support agreement as they have replaced dead APs with newer models a few times.
I’m really surprised to see so few of the mainstream options listed, a few everyone should be aware of: Cisco ASA/Firepower, PaloAlto, Juniper, Check Point, WatchGuard, Barracuda and Sonicwall. The primary options in this video are really more suited for small offices.
I just upgraded my home internet connection to 3Gbps, and have been thinking about upgrading my firewall(NetGate xg7100) to add 10G support. I really like the netgate products, but they don't seem to have a solution. So either I buy a 10G switch and media converter(since the xg7100 doesn't support copper sfp+ modules) or upgrade the firewall. Curious to hear your recommendation.
I don't get why pf sense doesn't have any easy way to do content filtering. Even if it's paid the option would be nice. How come all the others can do it easily? I use sophos and that's the main reason why. They are reliable and can block a ton of apps.
Sophos is pretty rock solid. Prior to Sophos XG it had a very steep learning curve. I've used it since it was Astaro Security Gateway then Sophos UTM. I still have a few of the Astaro AP's.
I actually found the opposite. I had a hard time adjusting to XG as I was used to UTM's way of doing things, partly because I'd used it since v4, but also because UTM's setup felt like a GUI overtop of tools I'd already used managing Linux systems, which in some sense it was at least early on.
Long term Sophos/Astaro UTM User here. I finally migrated from UTM to XG in my Homelab environment and the first steps were pretty wonky for me. I adjusted to the new UI quickly and can't imagine going back to the olf UTM. Sadly I've got some problems with the XG lately. Daily mails about the log threshold/disk space. The VM has 150gb... My UTM worked with a 80gb SSD.
Sophos does support Let's Encrypt certificates, but just not for SSL/TLS inspection. Note that there are currently two actively supported versions of the Sophos firewall: UTM and XG (the latter of which is now referred to as SFOS or simply as "Sophos Firewall".) Everything else is correct.
Sophos's UTM does support LE directly from within the UI. XG (sfos) requires half assed scripts to get it to work. Ironically, UTM will no longer be sold after 6/2023 and going EOL entirely 6/2026. That's progress for you!
@@geepeezee5030 Sophos will be losing a lot of customers by eliminating the UTM. It's basically due to greed. They bought the competition (UTM was owned by Astaro) then killed it, after they bought XG which was owned by Cyberoam.
Good ole IPCop which is what IPFire is based on. Happy to see it's pretty active. I've moved to pfsense long time ago as I needed more enterprise like features.
I started out with my pf flyers sneaker net firewall back in the 80's, you kids may not understand. I do not want to go back to those days, if was fun then but now, LOL no way.
if we keep snort & suricata (sorry for spelling) off initially after setting up a pfsense, is that a risk? in other words, should one of them be at least enabled at all times? or is the default setup wizard completion at least offering a bit of protection until we have the time window to try one of those packages and have our internet go up and down while testing them? thanks in advance so much!!!!
I'm using PFsense tried to block some websites such as UA-cam but not working using everything and PFblockng and firewall rules, could you explain why?
I have never seen you doing a comparison or review where you include Cisco's Firepower firewalls. I don't know if you are not familiar with them or if it's because of their complexity, but what I can tell you is that they are the best and most widely used in the world in large enterprises and leading corporations.
What about Firtinet NGFW? currently I am using pfSense but would like to move on with other FW as squid is no more supported. Our main use is to block all website and certain website group-wise, and allowed all websites to Management.
Due to more encryption being used today filtering at the firewalls for web traffic is more challenging than using a tool on the endpoint. We use Zoru for web filtering. Fortinet is a security mess ua-cam.com/video/7sEI89FAD3c/v-deo.html
@@LAWRENCESYSTEMS I only ask due to whenever the topic of cyber insurance comes up at work they always try to check off features of our pfsense against the mythical NGFW 🙂
NGFW traditionally means the firewall functions at all layers, including layer 7 of the OSI model (the application layer...the highest layer). It should perform application-level filtering. That is traditionally what "next-gen" means, however, how each firewall accomplishes this varies from one company to the next. So the firewalls like Sophos/Untangle/Fortinet perform filtering at the application layer and can be considered next-gen firewalls as they can block network data on the application level.
I talked my boss to use pfsense (plus on a ha pair of negate devices) in some, fortunately not so critical point and got burned by few nasty bugs including one unthinkable in this day and age.
Im looking at unifi udm pro, the se isnt worth the extra, i already have the poe injectors. I think udm pro is easier to setup etc than pfsense. The only thing i dont like about unifi is there slow at putting out patches and new features. I could virtualise pfsene i suppose.. aarrggh stuck between what to get now lol..
It would seem from the listed criteria that this video is more focused on SMB or entry-level market - I didn't see positioning for this so apologies if I missed it. And nothing wrong with that. But there's a huge set of features missing here that relates to mid- and enterprise market. Many of the firewalls here would be removed from the chart for lack of support. Link performance metrics, vxlan, evpn, twamp, cgnat, hyperscale, sso, hardware switching, IPsec aggs, ztna, saml, wired and WiFi nac, dynamic cloud objects/SDN, dynamic mesh IPsec, etc. List goes on and on. So these need to be considered for the use case you need.
Also wanted to mention that the FortiGate supports the complete acme protocol, not just let's encrypt. Not sure about the other products. With recent murmurs from Google about wanting 90 day TLS certificate expiry, this is going to be a critical feature.
I'm a network guy joining the MSP space. Meraki, unifi, then other. Sophos and fortigate are out there, but meraki and unifi are better for use case. This is coming from a sonicwall and mikrotik background as well. Currently looking at araknis.
We primarily use SonicWall and Meraki but have a few Fortinet and Unifi we support. As of late I've started to hate the SonicWalls for some stability/bugs myself and other admins have encountered. Personally for homelab I like Unifi as well a pFsense for testing.
When dell bought Sonicwall years ago it was the beginning of the end for them, at least in my mind. Though truthfully I haven't touched one in quite a while.
@@LAWRENCESYSTEMS I have been using SonicWall for 20 years and they just keep getting better and better. I have hundreds of them running without a singe glitch. ever.
meraki does have virtual MX vMX appliance for AWS or azure meraki will also work once the license expires, you just cant view any client information or make changes via the dashboard, you get locked out of the dashboard not the device
So I have a question about the recent pfsense update……I have a sg-3100 which I know netgate stopped selling but when I try updating the software in my appliance I just keeps looping and doesn’t seem to update, should I just reset my appliance or is there donething to do to force the update to install?
@@LAWRENCESYSTEMS thanks I was thinking of redesigning the home network with Cisco enterprise and adding pfsense to the equation maybe something hybrid, I am planning to start UA-cam channel sometime but I want to setup server backing up UA-cam video on my local server, so what type of setup do you recommend, do I need 10gb network and I also have consider privacy, now most common browser have built trackers so want to stay private, do I need fiberoptic on the lan? what are your thoughts? not really sure how go about it
A few notes:
The Fortinet DOES have a reverse proxy (not just load balancer)
The Sophos DOES support Let's Encrypt for their web interface.
FortiGate can be run as a virtual machine.
What about Antivirus, Antispam, File Filter, SSL inspection, SD WAN, IPS that actually gets the job done? This is really limited list to only stuff that PfSense does.
You either did not watch the video or did not look at the comparison chart (probably both) because most of those features are on the list.
@@LAWRENCESYSTEMS multiWAN is not SD-WAN. Antivirus or Antispam is not mentioned at all.
The hard truth is that Open Source firewalls are really not that good when it comes to endpoint protection, from Antivirus, to content filtering, they are just too much to handle. Even then, they are not reliable.
IPS is covered, sorry about that. Although, IPS with SSL enabled is whole another story.
Multiple wan and sdwan is on there. So is the SSL inspection. Are you even looking at the same chart? For someone trying to make their point about "The Hard Truth" of Open Source, not reading the materials presented is not helping your credibility.
@SmoothOper4t0r You don’t need endpoint protection, thats what Cylance/Crowdstrike/Sentinel One is for. Same with the SEIM, let the soc handle it, but it as a service that just works and check it off your insurance form. Then get Threatlocker.
Great stuff! would love this to be an annual thing. Great reference!
I was using pfsense for 5+ years and recently started having issues with rule schedules not blocking what I need to.
Switched to opnsense and was amazed - issues are gone and I live in 2023 now, not in 2000 pfsense web UI stuck into. Very happy with it and would say it is worth trying
Didn't realize the guis were that different. I haven't had any issues with pfsense yet, but I might spin up opensense just to see what I might be missing.
Am interested in a bit more specification if you don't mind. Maybe I'd have to look into this.
@@TheFibie007 i have some ips that should be restricted going outside based on schedule. I've created 2 rules - one to block always and another to allow on specific schedule. Its been working for years but latest update broke it. I've been using home Plus licence.
Rules just stopped working - schedule was ignored. The only way to enforce the rule was to reboot pfsense. Client wifi reconnection and even reboot didnt do anything. To illustrate, rule allows connection but client cant connect, pfsense rebooted - client can connect. Then rule does not allow connection but client still can connect even connecting to the lan after the disabling rule in effect, again pfsense reboot is the only way to enforce it
I actually prefer the pfsense ui. It seems more logically laid out, at least in my mind. Opnsense's ui is more "modern" looking but not necessarily better. On the same browser it is is slower to navigate between screens. Also, the gray colored font is harder to read than pf's more contrasting colors.
Regarding the scheduling issue, likely a pfsense bug that needs to be fixed. This is version 23.01. By 23.10 hopefully most bugs will be fixed. Learned a long long time ago to never update to the newest version right away. Give it at least 6 months before even considering testing it.
@@geepeezee5030 pfsense UI is usable, no doubt. I prefer opnsense UI but it's a personal taste.
I haven't upgraded straight away, gave it a couple of months from the release. Rather than reinstall I've decided to try opnsense and, as I've mentioned, not looking back
Most wanted video for quite some time. Thanks Lawrence
Lol just fyi his name is Tom Lawrence.
Really appreciate the run down. Comparing firewalls is hard at the best of times, happy you made this video. (The sheet could be a very useful resource in the future) 👍
I was kind of a long time user of pfsense, and still use it for old testing environments, but at one point I got a Mikrotik Router, that has served me very well for any needed advanced firewall configurations, as well as VPN endpoints.
RouterOS has a lot of good features inside.
Except when you need Ipsec VTI 😅
Thanks for the video Tom, just a quick correction though, you might want to rename the 'Operating System' row to 'Kernel'.
Keep up the great work, I enjoy your videos a lot!
Personally, I like Fortigate as a solid, easy to configure, affordable all-around FW for SMB and Large Enterprises. For home, while I would still prefer using Fortigate, I can see the use-case for PFSense if you need some common features that home users prefer like tailscale, wireguard, etc. With the small Fortigates being in the same price range as comparibly spec'd PFSense appliances, I usually just go for Fortigate in most scenarios. You only need to pay for licensing if you're looking to unlock Layer7 features.
4 minutes of disclaimers so Tom doesn't have to deal with, "why not xyz?"
... will still be asked, "why not xyz?".
Yes, but all those comments do help the YoutTube algorithm know that people find this content engaging!
Which is the best? Is it Sophos?@@LAWRENCESYSTEMS
@@josealfredfernandes The best one is the one that fits all your needs.
The Fortigate does have WAF/reverse proxy. You can turn the feature toggle on for it to display the options in the GUI to configure it.
Yes, I updated the chart.
@@LAWRENCESYSTEMS FG also can run on VMs and containers.
@@DjRio0001 Yes, that was noted in the video under "Can Be Virtualized"
Long term Meraki user here, I even have 4 years and 299 days left on my licenses, but recently I moved to Pfsense. Main reason for ditching the Meraki MX64 firewall is that we've outgrown it. Being limited at 250Mbit on the WAN side is a 50% reduction of my internet speed (the ISP does give use a "free" speed increase every year or so). After having tested Pfsense as a VM on a Synology DS1621+ for a week, I bought the Netgate box. So last Friday I received my Netgate 6100 (with 4 years hardware support contract). Man am I blown away by it. Yes Meraki has some nifty features, though I don't think I'll miss them that much on our home network. Im quite certain the Netgate box will serve us well for the next few years.
Great video Tom! I would add 2 things to the list:
1. API
2. OPENVPN With LDAP/AD integration (and bonus of the have 2FA
3. VxLAN
The reason I moved over to OPNsense from pfSense was because of API support for firewall rule and network automation and VxLAN. VxLAN support is definitely more nuanced, but I'm getting more involved in hyperconverged virtualization.
Yes, I don't like how often OPNsense updates either...
Line 24 covers #2 and API would be a debate on how functional that API is. VXLAN is not really used in the SMB space and rarely in the homelab space.
@@LAWRENCESYSTEMS Hi Tom, I was referring to the distinction between users in AD/LDAP Firewall appliance Login and users in AD/LDAP OpenVPN on the Firewall appliance Login. For example, in pfSense, i can set up LDAP as my authentication server and then get my LDAP users to log into OpenVPN running on the appliance and authenticating against the LDAP server. Can that be done in Unifi alliances?
Not sure how well that works with UniFI.
Actually I do prefer the speed of the updates, as well as all the other reasons mentioned, main reason why I also moved to opnSense, and assisted 3 companies in migrating to it coming from pfSense.
Thanks pal, great help on this topic!
I've been using Untangle since it was a Windows app (yes, you read that correctly), and I absolutely love it. No product is without it's downfalls, but Untangle has been rock solid for me for at least 10 years. One of my production edge devices running Untangle is about 70 days away from 3yrs of uptime!
I do remember the demo app for Windows. For us, partners since version 5.01, I think back to 2007 or even 2006. A few years ago did a few writeups on Untangle for a few tech websites.
Had a LOT of them out there in production, however my view of UTMs being super important for businesses is easing up, I'm focusing more on PDNS now. Also not confident in the direction Arista is taking Untangle.
Same. Have used Sophos UTM, Sophos XG, pfsense and Untangle and ultimately Untangle NGFW (latest). Untangle the best of the bunch.
Great video. I would like some more info how you configure customer pfsense to vpn back to you and coordinate them all in regards to centralized management.
I'll make a video on that soon
I would like to see this too please!
Technically, Meraki does have the vMX, which you can run virtualized. However, most people tend to use the Meraki hardware. The vMX is mostly for Cloud environments.
a vMX is only capable of facilitating VPN connections
For the most part, the best firewall is the one you know how to configure well... No point having a $10000 firewall if you don't turn any of the features on!
I think MikroTik's RouterOS would've been a nice addition to the chart as well, just for all the homelab peeps.
I don't use them but they are inexpensive but also have a steep learning curve due to lacking documentation.
@@LAWRENCESYSTEMS @Lawrence Systems I agree. There's documentation, but it's really lacking in some regards. How to do specific things also changes from model to model due to differing underlying hardware sometimes, which isn't nice.
However, if all you need is a L4 firewall and router, they're extremely capable and, in comparison, quite cheap.
to the Sophos - I loved their old SG (Astaro-ish) Version that were a dream to work with. Now I'm doing XG and I hate it. They also charge for Updates now, even if I have already got the Network Protection licence for 5y, they now want me to pay extra. As it's an Intel based XG230, I will reinstall it with opnsense or just plane arch linux.
There actually is a virtual option for Meraki! Meraki vMX, for 'private cloud' it looks like you need Cisco NFVIS. Looks like hot trash, but thought I'd mention it. Great stuff Tom.
Meraki vmx only does vpn.
@@MoD_Master_Of_Disaster_ Oh really? When I last deployed one I swear you could run it in NAT mode and it behaved like any other MX. It's been a minute though.
The firewall rule based on AD would actually be a great future feature for pfSense. Hopefully it is something we will see down the road.
After the central management feature :)
@@Traumatree cloud management, the. LDAP
@@Traumatree If they did this i would sell boatloads, but now with 20 or so in the wild its just too much to manage...
It's missing Cisco Firepower (FTD), the new version 7.3 has some really neat features like EVE (Encrypted Visibility Engine), which allows the device to watch for malware within encrypted traffic without the need to decrypt it.
Fortigate can run on your own hardware with the FortiGate VM
Would be interested in seeing how you used vpns for reliable remote access to firewalls. I have a few hundred pfSense firewalls in the wild. Managing them has been a chore.
if we are talking SMB .. those are ok, I even consider to use OPNsense or ever zentyal... but for more complex clients (like manage a lot of FW, or do some specials things, etc) we are talking about Palo alto, checkpoint , fortinet, cisco ASA,etc .. BTW: fortinet is unix like, not consider as linux ( cause it have its own kernel for their soc).
This. Especially the first three you mentioned. I am not sure if I'd consider ASA at the same level as the other three tho.
@@tbard PAN is the way to go for enterprise level NGFW.
@@bx1803 that'd be my choice too, I'm a PCNSE myself, but I do consider Fortinet a close second among the ones I had to work with. And there are some fringe cases where I'd rather pick Fortigate.
Awesome! Love the shirt Tom.
Love your videos Tom! I would love to see a video where you talk about the difference in the security architecture of something like Snort or Suricata with PFSense, versus ATP+UTM services provided by companies like Fortinet, Sophos, Meraki, Sonicwall, Palo Alto, etc. I am just getting back into PFSense after a few years off, and I'm honestly wondering how far things have come to make open-source(ish) firewalls more like "NGFW" systems that always have paid licenses, or things like Sophos Endpoint.
The closed source companies are using the same tool such Suricata and Snort, they just manage them for you.
@@LAWRENCESYSTEMS Ok thanks. I did a lot of searching and reading about that before watching your video here, but I could not find anything. If you know where I can read or watch any videos about that I would love some links or recommendations!
@@radiowolf80211 Cisco owns Snort so that connection is easy, UniFi uses Suricata, there is not really any documentation other than when people SSH into these devices.
I purchased a Mikrotik router about 30 days ago, absolutely horrible documentation, never did figure it out, am now switching to pfsense so much support unbelievable.
Thank you for the video
Curious on your take of Araknis Networks Routers, I use them at smaller clients setups
Good price point, super nice builds, 2 year hardware warranty lifetime support and firmware updates with no license fees at all
I usually get the full suite, Router, Switches, AP's and it works with OvrC a web based control portal for free, there are no monthly's on anything Araknis, which I and my clients appreciate.
We've gone from pfSense -> Sophos XG -> FortiGate and the only addition I have to make that wasn't mentionrd is that Sophos' GeoIP filtering is entirely non-functional. They only support it in combination with their WAF (which is imo the main usecase) by doing a fake-NAT and it doesn't work at all. IPs show as an allowed country in the logs but are still blocked / matched by the NAT rule. Plus, the fact you have to use a fake NAT at all is hard to document and log. It's clearly a workaround and like I said - it also just doesn't work at all. No such issues or workarounds at all on the FortiGates
This was an issue, which is already fixed within the System of SFOS. So if you block a Country, you can do it by using a firewall rule and block the access. If you have a WAF or Service, you need the NAT Rule, but it still blocks the traffic and logs this traffic accordingly.
What's your thoughts on the extra advanced threat/malware detections feature that some firewalls are preaching? Is there something similar to pfsense?
How's IPv6 support on these - is the firewall / application filtering / ... at feature parity, or is it nonexistant? Internet suggestions are that Untangle isn't very good on this side, and other than pfSense / OPNsense being essentially at feature parity I'm not sure about the others.
I never have to use IPv6 so I didn't put it on the list.
OPNsense works well with IPv6 on my admittedly small network. If you have or need IPv6 I suggest avoiding OpenWRT. You will probably not have a good experience.
The difference in UI was a good chunk of the reason I chose OPNsense over pfsense.
Nice Content, Thank you
This was a nice breakdown! I've used Meraki a few years ago and it was very 'hands off, you tech, leave it to us!' - which was frustrating.
I've been on IPFire for several years now and think it would be great firewall to have on your next roundup. I cannot speak to it's viability in terms of business usage, as I use it for my home network, but would be surprised it if would not hold it's own.
Not likely that I will use it as it does not offer any compelling features over pfsense.
I surprised palo alto didnt make the list
Yes I agree. They are a major player in the market.
Checkpoint and Juniper for the big world 😂
Looking at the brands I’d say these are the small business options.
@@taetschmeischter yep I truly love Juniper, IBM, HP Aruba and Cisco switches and Firewalls. Sophos and Fortinet are okay(though lots of Fortinets are not upgraded, so really easy to hack with MeraSploit. Unify has a great interface. PfSense is really complete and easy to install. The rest I don’t really know. So I will find out in this video. Haven’t started watching yet.
Don’t use NetGate appliances for your firewalls. Use Quad or Octo Xeon CPU’s in your datacenters or Cisco 9300 series. Or Juniper SRX series. As soon as you go above 40 GBPS throughput, your speeds will suffer enormously. Made that mistake once at a client, who asked me to take a cheaper approach than the Cisco switches and firewalls I had in my first offer.
I really like working with Meraki but you have to prepare yourself (or at least management for the ongoing licensing costs.
i just wanna mention that the Sophos Home edition is only hardware limited (4cores & 6gb ram) you still get the entire software package free
True but it really doesn't matter in a home environment. I got over 250 clients in my network, about 40VLANs, 50ish rules, static routing, RED Connection to my cloud hosted XG, 10/40Gbit networking and I've never experienced any issues concerning the hardware limit.
@@DavidSondermann wasn't insinuating that it was a negative, just didn't want people to see Home Edition & think it would be heavily dumbed down vs the paid version. Been using it myself couple years with no issues
I'm myself a IT Security Engineer. The Video was pretty good. Sadly no PaloAlto was in the comparison. Personaly i worked with the old Sophos UTM wich in my opinion had the best UI for new user. The new XG is a step but in the wrong direction. Therefore we switched to FortiGate wich are prety nice. My Homelab is based of a 80F. But the PaloAlto is kind of my favourite FW. And one thing i have to say, no FW sould have a mailfilter or reverseproxy because there are way better products like the Netscaler and the IronPort.
Netscaler are for big companies that has A LOT of stuff that people can access - and is mostly a thing of the past unless your are vendor locked-in and forced to host your own stuff. In today's space, most company should probably host their services on Azure/AWS/Google and benefit from their own netscaling infrastructures that no one can challenge.
At work, we use Meraki and Fortinet. At home, I use pfSense with custom hardware. I can't fault any of the three in terms of the product itself. Meraki is very easy and straightforward to use, we have all of our clients in one place and it's very easy to manage. Fortinet is more of a pain to manage but the firewall itself is very solid. It's easy to setup any type of VPN the units support as well. Tying either Meraki or Fortinet to AD for Auth is also very easy.
I will say that I prefer pfSense but that's just me.
Happy with Untangle/Arista for my customers since years and yes some parts are to be paid for the full version but you can choose not to.
The thing that seems hard to find is decent reporting - I want to know how much data each of my devices is using, and also break it down by major apps [eg, 100GB of netflix, 80 of which from this device, 20 from that device). I made the mistake of buying a sophos XGS 87w and finding that it does not do local reporting and the cloud reporting is lacking - the fan also is way too loud from home. It lasted about 7 weeks before being packed back in its box never to be used again. Currently trying pfsense on an old Dell sff pc - and meh; BandwidthD cna give totals per device, but nothing about apps, darkstat doesn't seem useful at all and ntopng is complicated and not convinced it's going to gimme what I want.
Some of the options (like Arista) I'd never even heard of before so gives me something to look at anyway
kind of irrelevant question but when you use pfsense (OPNsense and others)do you always have to turn the ISP's modem-router to bridge mode in order to pass through the connection to your custom machine running pfsense behind it? .Specially nowadays that all connections have voip it is even more difficult to do so, since many providers (at least in my country all of them) don t provide voip credentials to set it up your own. So you end up with double NAT and pfsense sees the internal ip address as the public one.
On the other hand I don t think pfsense can act as a standalone modem so it needs one in front. Am I right?
Thank you
yes these are all firewall solutions not modems. To connect a modem you either do a double NAT or put the modem in bridge mode. Decent modems can do bridge mode or can be put in bridge mode by the ISP if you ask them
@@marcogenovesi8570 Thanks for the reply but (ahahah) you seem to have way more helpful ISPs there than us here in Greece (they act like a different government and try anything but to help client)
Meraki is not allowed to sell directly, if a rep were to reach out to a customer, it is likely because the reseller is being negligent and not communicating. Controversial topic but the bottom line is; communication fixes all.
I didn't realize that Untangle is owned by Ariasta, I only really knew them fro their datacenter grade switches.
I have been a home user of Untngle for a decade, but I am considering moving to pfSense. I would love a video going over how to plan a move like that with several VLANS, DHCP reservations etc.
There's no one to one transfer and are you using the web filtering on Untangle? There is no good equivalent in pfsense.
@@LAWRENCESYSTEMS use pihole for this.
You could move dhcp services to another device like a raspberry pi. You could do that temporarily to make the move easier. Or perhaps you acquire a second hardware device and that set it up and then cut over at some point, at which time you find out if you got all the settings right.
It is now 2 years that I handle and manage FortiGate. I can say it can fulfill all the requirements of a business in a country level. Love this firewall
You are looking good! Did you do something to your hear?
Fortigates can do reverse proxy as well as waf. I run a have a Fortigate running a reverse proxy in my house right now.
Interesting all I found in their documentation was https load balancing which is not exactly the same as a reverse proxy.
@@LAWRENCESYSTEMS Haven't they all started to rename reverse proxies to load-balancers because it sells better? Technically load-balancers are just glorified reverse proxies.
@@LAWRENCESYSTEMS virtual servers is there branding around that feature i admit it’s not clear at first glance
I updated the chart
Informative video... however, we use Sonicwall.
I have a question about PFSense and Unifi. I took your advice from watching you video's and ordered a Netgate 4100 Max and I want to order some Unifi switch, access points and cameras. I want to also order a Dream Machine SE to make it easier to control the cameras for home use. Would you recommend using a Dream Machine with PFSense or would you recommend using a different solution to control and capture video for my cameras?
You've explained the exclusion of OPNsense and its totally agreeable, but you've missed out Mikrotik as well. A number of companies, and even ISPs, use Mikrotik. Not that I'm a fan of Mikrotik or anything in fact I've not used any of their products and I use more of pfSense/OPNsense and Sophos XG, but I believe Mikrotik should have a place in the list just like Unify.
I don't use them but and their steep learning curve and lack of documentation does not make me want too.
I don't know what you're smoking - Mikrotik have to be one of the worst router/firewalls i've used in my career. As per Lawrence, they're a steep learning curve, not technically, but just interface wise.. Vendors do/name things slightly different but Mirkotik take the cake when it comes to confusing the hell out of you... Good luck troubleshooting complex setups on them.
Great review Tom, very informative, thanks.
I like the pfsense plusv feature to import openvpn client config😉
Would've loved to see OPNsense. Also, sadly there's no automation capability comparison.
My employer has always purchased meraki direct though CDW / Insight so I don't know if they are going awound MSPs. The license seems to also be a support agreement as they have replaced dead APs with newer models a few times.
I’m really surprised to see so few of the mainstream options listed, a few everyone should be aware of:
Cisco ASA/Firepower, PaloAlto, Juniper, Check Point, WatchGuard, Barracuda and Sonicwall.
The primary options in this video are really more suited for small offices.
Fortinet, Sophos XG and even Meraki and not only "more suitable for small offices"
Barracuda? 💀💀💀
I just upgraded my home internet connection to 3Gbps, and have been thinking about upgrading my firewall(NetGate xg7100) to add 10G support. I really like the netgate products, but they don't seem to have a solution. So either I buy a 10G switch and media converter(since the xg7100 doesn't support copper sfp+ modules) or upgrade the firewall. Curious to hear your recommendation.
For the SMB, I feel you are missing the boat by not including WATCHGUARD.
I personally like your shirt
The FortiGates can also use its Let’s encrypt certificate for its SSL VPN and the VPN Webportal which is great
I don't get why pf sense doesn't have any easy way to do content filtering. Even if it's paid the option would be nice. How come all the others can do it easily? I use sophos and that's the main reason why. They are reliable and can block a ton of apps.
It has Zenarmor now.
Thanks for this!
Thanks for the review. Any chance you ever so a review of antivirus that works well with this?
I think you are asking about firewall based AV and I am not aware of any that are effective.
It would be awesome if you could please do a video on Twingate as well, I am curious to know what you think. Thank you.
I don't really have any interested in Twingate, closed source VS TaialScale which is open source, more transparent, and has better documentation.
Sophos is pretty rock solid. Prior to Sophos XG it had a very steep learning curve. I've used it since it was Astaro Security Gateway then Sophos UTM. I still have a few of the Astaro AP's.
I actually found the opposite. I had a hard time adjusting to XG as I was used to UTM's way of doing things, partly because I'd used it since v4, but also because UTM's setup felt like a GUI overtop of tools I'd already used managing Linux systems, which in some sense it was at least early on.
Switching to sophos XG from Meraki has been a very bad experience for us
Same. SG interface and features still better than the XG
Long term Sophos/Astaro UTM User here. I finally migrated from UTM to XG in my Homelab environment and the first steps were pretty wonky for me.
I adjusted to the new UI quickly and can't imagine going back to the olf UTM.
Sadly I've got some problems with the XG lately. Daily mails about the log threshold/disk space. The VM has 150gb... My UTM worked with a 80gb SSD.
Sadly the UTM is EOL now. The XG Webinterface is trash
Cannot wait for you to try Palo Alto firewalls!
Sophos does support Let's Encrypt certificates, but just not for SSL/TLS inspection. Note that there are currently two actively supported versions of the Sophos firewall: UTM and XG (the latter of which is now referred to as SFOS or simply as "Sophos Firewall".) Everything else is correct.
Sophos's UTM does support LE directly from within the UI. XG (sfos) requires half assed scripts to get it to work. Ironically, UTM will no longer be sold after 6/2023 and going EOL entirely 6/2026. That's progress for you!
@@geepeezee5030 Sophos will be losing a lot of customers by eliminating the UTM. It's basically due to greed. They bought the competition (UTM was owned by Astaro) then killed it, after they bought XG which was owned by Cyberoam.
Another nice column would be log output format like CEF over Syslog etc
what about WatchGuard? :-) I actually use their deprecated hardware for pfSense for a while
Eyyyy perfect timing TY
I use ipfire and it so far is solid and smooth.
I was going to do a April fools videos reviewing one of the really old firewall distros I used to use but I ran out of time.
Good ole IPCop which is what IPFire is based on. Happy to see it's pretty active. I've moved to pfsense long time ago as I needed more enterprise like features.
I started out with my pf flyers sneaker net firewall back in the 80's, you kids may not understand. I do not want to go back to those days, if was fun then but now, LOL no way.
if we keep snort & suricata (sorry for spelling) off initially after setting up a pfsense, is that a risk? in other words, should one of them be at least enabled at all times? or is the default setup wizard completion at least offering a bit of protection until we have the time window to try one of those packages and have our internet go up and down while testing them? thanks in advance so much!!!!
Leaving then off is fine
I'm using PFsense tried to block some websites such as UA-cam but not working using everything and PFblockng and firewall rules, could you explain why?
Curious what the SMB uptake is for Firewalla (Understand why it's not here - I watched the video :))
I have links to reviews in the description, I really feel it's a consumer product and I find it odd that it uses a phone app for management.
Great video!
Great video. I honestly think Unifi is the easiest vpn but I do use that the most. Next up would be PFsense
Their site to site is, their user VPN is lacking
@@LAWRENCESYSTEMS agree, UID is much easier . But most people won’t sign up for that and is a lot more steps
@@LAWRENCESYSTEMS have u tried UID?
I have never seen you doing a comparison or review where you include Cisco's Firepower firewalls. I don't know if you are not familiar with them or if it's because of their complexity, but what I can tell you is that they are the best and most widely used in the world in large enterprises and leading corporations.
I don't use them, they are very expensive, and in the first 30 seconds of the video I explain the qualifiers.
@@LAWRENCESYSTEMS you right. My respect for your work
What about Firtinet NGFW? currently I am using pfSense but would like to move on with other FW as squid is no more supported. Our main use is to block all website and certain website group-wise, and allowed all websites to Management.
Due to more encryption being used today filtering at the firewalls for web traffic is more challenging than using a tool on the endpoint. We use Zoru for web filtering. Fortinet is a security mess ua-cam.com/video/7sEI89FAD3c/v-deo.html
IDS/IPS, Content Filtering, DNS filtering, GeoIP filtering
So what features do they need to add to consider these as NGFW?
NGFW is whatever marketing says it is.
@@LAWRENCESYSTEMS I only ask due to whenever the topic of cyber insurance comes up at work they always try to check off features of our pfsense against the mythical NGFW 🙂
NGFW traditionally means the firewall functions at all layers, including layer 7 of the OSI model (the application layer...the highest layer). It should perform application-level filtering. That is traditionally what "next-gen" means, however, how each firewall accomplishes this varies from one company to the next. So the firewalls like Sophos/Untangle/Fortinet perform filtering at the application layer and can be considered next-gen firewalls as they can block network data on the application level.
I talked my boss to use pfsense (plus on a ha pair of negate devices) in some, fortunately not so critical point and got burned by few nasty bugs including one unthinkable in this day and age.
I'd be interest to hear your thoughts on Palo Alto Networks products.
They work well
Im looking at unifi udm pro, the se isnt worth the extra, i already have the poe injectors.
I think udm pro is easier to setup etc than pfsense.
The only thing i dont like about unifi is there slow at putting out patches and new features.
I could virtualise pfsene i suppose.. aarrggh stuck between what to get now lol..
Great vidéo! What did you think about Mikrotik?
That they have a steep learning curve and lacking documentation
It would seem from the listed criteria that this video is more focused on SMB or entry-level market - I didn't see positioning for this so apologies if I missed it. And nothing wrong with that. But there's a huge set of features missing here that relates to mid- and enterprise market. Many of the firewalls here would be removed from the chart for lack of support. Link performance metrics, vxlan, evpn, twamp, cgnat, hyperscale, sso, hardware switching, IPsec aggs, ztna, saml, wired and WiFi nac, dynamic cloud objects/SDN, dynamic mesh IPsec, etc. List goes on and on. So these need to be considered for the use case you need.
Also wanted to mention that the FortiGate supports the complete acme protocol, not just let's encrypt. Not sure about the other products. With recent murmurs from Google about wanting 90 day TLS certificate expiry, this is going to be a critical feature.
I look forward to getting everyone on the 90 day certs and supporting ACME.
@@LAWRENCESYSTEMS in 2 minds about this, there's a lot of stuff that have convoluted certificate management - SAP especially comes to mind here.
Excellent video and perfect timing. We are considering a new firewall.
I love OPNSense is really equivalent to pfSense, both used in a commercial environment
And a bit biased because it is a Dutch product 8-)
would be good to see SAML/SSO support :p
I'm a network guy joining the MSP space. Meraki, unifi, then other. Sophos and fortigate are out there, but meraki and unifi are better for use case. This is coming from a sonicwall and mikrotik background as well.
Currently looking at araknis.
What is the actual Sophos product please Tom? A few minutes of looking round their impenetrable website has left me none the wiser!
www.sophos.com/en-us/products/next-gen-firewall
What firewall do you recommend for a PPPoe 3Gbps+ fiber connection?
I never use PPPoe so I don't have any suggestions
@@LAWRENCESYSTEMS Thank you for your reply. I know Pfsense supports it but its not quick since its a single threaded process.
We primarily use SonicWall and Meraki but have a few Fortinet and Unifi we support. As of late I've started to hate the SonicWalls for some stability/bugs myself and other admins have encountered. Personally for homelab I like Unifi as well a pFsense for testing.
That is why I left Sonicwall off the list, I know many are using them, but no one stating they like them.
We were a Sonicwall user...never go back, because of there aggressive way of selling.
When dell bought Sonicwall years ago it was the beginning of the end for them, at least in my mind. Though truthfully I haven't touched one in quite a while.
@@LAWRENCESYSTEMS I have been using SonicWall for 20 years and they just keep getting better and better. I have hundreds of them running without a singe glitch. ever.
meraki does have virtual MX vMX appliance for AWS or azure
meraki will also work once the license expires, you just cant view any client information or make changes via the dashboard, you get locked out of the dashboard not the device
Meraki can be virtualized using their vMX service.
Hi Tom, can you do a review on Zenarmor on Pfsense?
Nope, not something I plan on using
I thought you also used Untangle for places that need web filtering? (edit, typed too soon)
We do, but not often as endpoint filtering is easier to manage.
So I have a question about the recent pfsense update……I have a sg-3100 which I know netgate stopped selling but when I try updating the software in my appliance I just keeps looping and doesn’t seem to update, should I just reset my appliance or is there donething to do to force the update to install?
Or you could do a fresh install with the latest version and reload
@Lawrence Systems ah yeah, I didn't think about that. I just got frustrated, I guess. Thank you, I'll do that
Carrying water for pfSense.. they try hard to stall pfSense CE usage and adoption by not updating it.
In your opinion which one is the best firewall and Is there way to be invisible on the internet without being track by your isp and other companies
We prefer pfsense and you can use a privacy VPN with it.
@@LAWRENCESYSTEMS thanks I was thinking of redesigning the home network with Cisco enterprise and adding pfsense to the equation maybe something hybrid, I am planning to start UA-cam channel sometime but I want to setup server backing up UA-cam video on my local server, so what type of setup do you recommend, do I need 10gb network and I also have consider privacy, now most common browser have built trackers so want to stay private, do I need fiberoptic on the lan? what are your thoughts? not really sure how go about it
@@LAWRENCESYSTEMS by the way I am nerd at heart, so I been following your channel for long time, great content
What is the dummy mode firewall for non-networking dummies that still want privacy/security? Pihole?