FortiGate can be run as a virtual machine. What about Antivirus, Antispam, File Filter, SSL inspection, SD WAN, IPS that actually gets the job done? This is really limited list to only stuff that PfSense does.
@@LAWRENCESYSTEMS multiWAN is not SD-WAN. Antivirus or Antispam is not mentioned at all. The hard truth is that Open Source firewalls are really not that good when it comes to endpoint protection, from Antivirus, to content filtering, they are just too much to handle. Even then, they are not reliable. IPS is covered, sorry about that. Although, IPS with SSL enabled is whole another story.
Multiple wan and sdwan is on there. So is the SSL inspection. Are you even looking at the same chart? For someone trying to make their point about "The Hard Truth" of Open Source, not reading the materials presented is not helping your credibility.
@SmoothOper4t0r You don’t need endpoint protection, thats what Cylance/Crowdstrike/Sentinel One is for. Same with the SEIM, let the soc handle it, but it as a service that just works and check it off your insurance form. Then get Threatlocker.
I was using pfsense for 5+ years and recently started having issues with rule schedules not blocking what I need to. Switched to opnsense and was amazed - issues are gone and I live in 2023 now, not in 2000 pfsense web UI stuck into. Very happy with it and would say it is worth trying
Didn't realize the guis were that different. I haven't had any issues with pfsense yet, but I might spin up opensense just to see what I might be missing.
@@TheFibie007 i have some ips that should be restricted going outside based on schedule. I've created 2 rules - one to block always and another to allow on specific schedule. Its been working for years but latest update broke it. I've been using home Plus licence. Rules just stopped working - schedule was ignored. The only way to enforce the rule was to reboot pfsense. Client wifi reconnection and even reboot didnt do anything. To illustrate, rule allows connection but client cant connect, pfsense rebooted - client can connect. Then rule does not allow connection but client still can connect even connecting to the lan after the disabling rule in effect, again pfsense reboot is the only way to enforce it
I actually prefer the pfsense ui. It seems more logically laid out, at least in my mind. Opnsense's ui is more "modern" looking but not necessarily better. On the same browser it is is slower to navigate between screens. Also, the gray colored font is harder to read than pf's more contrasting colors. Regarding the scheduling issue, likely a pfsense bug that needs to be fixed. This is version 23.01. By 23.10 hopefully most bugs will be fixed. Learned a long long time ago to never update to the newest version right away. Give it at least 6 months before even considering testing it.
@@geepeezee5030 pfsense UI is usable, no doubt. I prefer opnsense UI but it's a personal taste. I haven't upgraded straight away, gave it a couple of months from the release. Rather than reinstall I've decided to try opnsense and, as I've mentioned, not looking back
Really appreciate the run down. Comparing firewalls is hard at the best of times, happy you made this video. (The sheet could be a very useful resource in the future) 👍
I was kind of a long time user of pfsense, and still use it for old testing environments, but at one point I got a Mikrotik Router, that has served me very well for any needed advanced firewall configurations, as well as VPN endpoints.
Personally, I like Fortigate as a solid, easy to configure, affordable all-around FW for SMB and Large Enterprises. For home, while I would still prefer using Fortigate, I can see the use-case for PFSense if you need some common features that home users prefer like tailscale, wireguard, etc. With the small Fortigates being in the same price range as comparibly spec'd PFSense appliances, I usually just go for Fortigate in most scenarios. You only need to pay for licensing if you're looking to unlock Layer7 features.
Great video Tom! I would add 2 things to the list: 1. API 2. OPENVPN With LDAP/AD integration (and bonus of the have 2FA 3. VxLAN The reason I moved over to OPNsense from pfSense was because of API support for firewall rule and network automation and VxLAN. VxLAN support is definitely more nuanced, but I'm getting more involved in hyperconverged virtualization. Yes, I don't like how often OPNsense updates either...
@@LAWRENCESYSTEMS Hi Tom, I was referring to the distinction between users in AD/LDAP Firewall appliance Login and users in AD/LDAP OpenVPN on the Firewall appliance Login. For example, in pfSense, i can set up LDAP as my authentication server and then get my LDAP users to log into OpenVPN running on the appliance and authenticating against the LDAP server. Can that be done in Unifi alliances?
Actually I do prefer the speed of the updates, as well as all the other reasons mentioned, main reason why I also moved to opnSense, and assisted 3 companies in migrating to it coming from pfSense.
Long term Meraki user here, I even have 4 years and 299 days left on my licenses, but recently I moved to Pfsense. Main reason for ditching the Meraki MX64 firewall is that we've outgrown it. Being limited at 250Mbit on the WAN side is a 50% reduction of my internet speed (the ISP does give use a "free" speed increase every year or so). After having tested Pfsense as a VM on a Synology DS1621+ for a week, I bought the Netgate box. So last Friday I received my Netgate 6100 (with 4 years hardware support contract). Man am I blown away by it. Yes Meraki has some nifty features, though I don't think I'll miss them that much on our home network. Im quite certain the Netgate box will serve us well for the next few years.
Thanks for the video Tom, just a quick correction though, you might want to rename the 'Operating System' row to 'Kernel'. Keep up the great work, I enjoy your videos a lot!
For the most part, the best firewall is the one you know how to configure well... No point having a $10000 firewall if you don't turn any of the features on!
Technically, Meraki does have the vMX, which you can run virtualized. However, most people tend to use the Meraki hardware. The vMX is mostly for Cloud environments.
I've been using Untangle since it was a Windows app (yes, you read that correctly), and I absolutely love it. No product is without it's downfalls, but Untangle has been rock solid for me for at least 10 years. One of my production edge devices running Untangle is about 70 days away from 3yrs of uptime!
I do remember the demo app for Windows. For us, partners since version 5.01, I think back to 2007 or even 2006. A few years ago did a few writeups on Untangle for a few tech websites. Had a LOT of them out there in production, however my view of UTMs being super important for businesses is easing up, I'm focusing more on PDNS now. Also not confident in the direction Arista is taking Untangle.
Great video. I would like some more info how you configure customer pfsense to vpn back to you and coordinate them all in regards to centralized management.
@@LAWRENCESYSTEMS @Lawrence Systems I agree. There's documentation, but it's really lacking in some regards. How to do specific things also changes from model to model due to differing underlying hardware sometimes, which isn't nice. However, if all you need is a L4 firewall and router, they're extremely capable and, in comparison, quite cheap.
@@taetschmeischter yep I truly love Juniper, IBM, HP Aruba and Cisco switches and Firewalls. Sophos and Fortinet are okay(though lots of Fortinets are not upgraded, so really easy to hack with MeraSploit. Unify has a great interface. PfSense is really complete and easy to install. The rest I don’t really know. So I will find out in this video. Haven’t started watching yet.
Don’t use NetGate appliances for your firewalls. Use Quad or Octo Xeon CPU’s in your datacenters or Cisco 9300 series. Or Juniper SRX series. As soon as you go above 40 GBPS throughput, your speeds will suffer enormously. Made that mistake once at a client, who asked me to take a cheaper approach than the Cisco switches and firewalls I had in my first offer.
to the Sophos - I loved their old SG (Astaro-ish) Version that were a dream to work with. Now I'm doing XG and I hate it. They also charge for Updates now, even if I have already got the Network Protection licence for 5y, they now want me to pay extra. As it's an Intel based XG230, I will reinstall it with opnsense or just plane arch linux.
kind of irrelevant question but when you use pfsense (OPNsense and others)do you always have to turn the ISP's modem-router to bridge mode in order to pass through the connection to your custom machine running pfsense behind it? .Specially nowadays that all connections have voip it is even more difficult to do so, since many providers (at least in my country all of them) don t provide voip credentials to set it up your own. So you end up with double NAT and pfsense sees the internal ip address as the public one. On the other hand I don t think pfsense can act as a standalone modem so it needs one in front. Am I right? Thank you
yes these are all firewall solutions not modems. To connect a modem you either do a double NAT or put the modem in bridge mode. Decent modems can do bridge mode or can be put in bridge mode by the ISP if you ask them
@@marcogenovesi8570 Thanks for the reply but (ahahah) you seem to have way more helpful ISPs there than us here in Greece (they act like a different government and try anything but to help client)
if we are talking SMB .. those are ok, I even consider to use OPNsense or ever zentyal... but for more complex clients (like manage a lot of FW, or do some specials things, etc) we are talking about Palo alto, checkpoint , fortinet, cisco ASA,etc .. BTW: fortinet is unix like, not consider as linux ( cause it have its own kernel for their soc).
@@bx1803 that'd be my choice too, I'm a PCNSE myself, but I do consider Fortinet a close second among the ones I had to work with. And there are some fringe cases where I'd rather pick Fortigate.
How's IPv6 support on these - is the firewall / application filtering / ... at feature parity, or is it nonexistant? Internet suggestions are that Untangle isn't very good on this side, and other than pfSense / OPNsense being essentially at feature parity I'm not sure about the others.
OPNsense works well with IPv6 on my admittedly small network. If you have or need IPv6 I suggest avoiding OpenWRT. You will probably not have a good experience. The difference in UI was a good chunk of the reason I chose OPNsense over pfsense.
It's missing Cisco Firepower (FTD), the new version 7.3 has some really neat features like EVE (Encrypted Visibility Engine), which allows the device to watch for malware within encrypted traffic without the need to decrypt it.
Would be interested in seeing how you used vpns for reliable remote access to firewalls. I have a few hundred pfSense firewalls in the wild. Managing them has been a chore.
The thing that seems hard to find is decent reporting - I want to know how much data each of my devices is using, and also break it down by major apps [eg, 100GB of netflix, 80 of which from this device, 20 from that device). I made the mistake of buying a sophos XGS 87w and finding that it does not do local reporting and the cloud reporting is lacking - the fan also is way too loud from home. It lasted about 7 weeks before being packed back in its box never to be used again. Currently trying pfsense on an old Dell sff pc - and meh; BandwidthD cna give totals per device, but nothing about apps, darkstat doesn't seem useful at all and ntopng is complicated and not convinced it's going to gimme what I want. Some of the options (like Arista) I'd never even heard of before so gives me something to look at anyway
I purchased a Mikrotik router about 30 days ago, absolutely horrible documentation, never did figure it out, am now switching to pfsense so much support unbelievable.
There actually is a virtual option for Meraki! Meraki vMX, for 'private cloud' it looks like you need Cisco NFVIS. Looks like hot trash, but thought I'd mention it. Great stuff Tom.
@@MoD_Master_Of_Disaster_ Oh really? When I last deployed one I swear you could run it in NAT mode and it behaved like any other MX. It's been a minute though.
Love your videos Tom! I would love to see a video where you talk about the difference in the security architecture of something like Snort or Suricata with PFSense, versus ATP+UTM services provided by companies like Fortinet, Sophos, Meraki, Sonicwall, Palo Alto, etc. I am just getting back into PFSense after a few years off, and I'm honestly wondering how far things have come to make open-source(ish) firewalls more like "NGFW" systems that always have paid licenses, or things like Sophos Endpoint.
@@LAWRENCESYSTEMS Ok thanks. I did a lot of searching and reading about that before watching your video here, but I could not find anything. If you know where I can read or watch any videos about that I would love some links or recommendations!
@@radiowolf80211 Cisco owns Snort so that connection is easy, UniFi uses Suricata, there is not really any documentation other than when people SSH into these devices.
@@LAWRENCESYSTEMS Haven't they all started to rename reverse proxies to load-balancers because it sells better? Technically load-balancers are just glorified reverse proxies.
It is now 2 years that I handle and manage FortiGate. I can say it can fulfill all the requirements of a business in a country level. Love this firewall
I have a question about PFSense and Unifi. I took your advice from watching you video's and ordered a Netgate 4100 Max and I want to order some Unifi switch, access points and cameras. I want to also order a Dream Machine SE to make it easier to control the cameras for home use. Would you recommend using a Dream Machine with PFSense or would you recommend using a different solution to control and capture video for my cameras?
We've gone from pfSense -> Sophos XG -> FortiGate and the only addition I have to make that wasn't mentionrd is that Sophos' GeoIP filtering is entirely non-functional. They only support it in combination with their WAF (which is imo the main usecase) by doing a fake-NAT and it doesn't work at all. IPs show as an allowed country in the logs but are still blocked / matched by the NAT rule. Plus, the fact you have to use a fake NAT at all is hard to document and log. It's clearly a workaround and like I said - it also just doesn't work at all. No such issues or workarounds at all on the FortiGates
This was an issue, which is already fixed within the System of SFOS. So if you block a Country, you can do it by using a firewall rule and block the access. If you have a WAF or Service, you need the NAT Rule, but it still blocks the traffic and logs this traffic accordingly.
This was a nice breakdown! I've used Meraki a few years ago and it was very 'hands off, you tech, leave it to us!' - which was frustrating. I've been on IPFire for several years now and think it would be great firewall to have on your next roundup. I cannot speak to it's viability in terms of business usage, as I use it for my home network, but would be surprised it if would not hold it's own.
Thank you for the video Curious on your take of Araknis Networks Routers, I use them at smaller clients setups Good price point, super nice builds, 2 year hardware warranty lifetime support and firmware updates with no license fees at all I usually get the full suite, Router, Switches, AP's and it works with OvrC a web based control portal for free, there are no monthly's on anything Araknis, which I and my clients appreciate.
At work, we use Meraki and Fortinet. At home, I use pfSense with custom hardware. I can't fault any of the three in terms of the product itself. Meraki is very easy and straightforward to use, we have all of our clients in one place and it's very easy to manage. Fortinet is more of a pain to manage but the firewall itself is very solid. It's easy to setup any type of VPN the units support as well. Tying either Meraki or Fortinet to AD for Auth is also very easy. I will say that I prefer pfSense but that's just me.
I just upgraded my home internet connection to 3Gbps, and have been thinking about upgrading my firewall(NetGate xg7100) to add 10G support. I really like the netgate products, but they don't seem to have a solution. So either I buy a 10G switch and media converter(since the xg7100 doesn't support copper sfp+ modules) or upgrade the firewall. Curious to hear your recommendation.
My employer has always purchased meraki direct though CDW / Insight so I don't know if they are going awound MSPs. The license seems to also be a support agreement as they have replaced dead APs with newer models a few times.
Meraki is not allowed to sell directly, if a rep were to reach out to a customer, it is likely because the reseller is being negligent and not communicating. Controversial topic but the bottom line is; communication fixes all.
True but it really doesn't matter in a home environment. I got over 250 clients in my network, about 40VLANs, 50ish rules, static routing, RED Connection to my cloud hosted XG, 10/40Gbit networking and I've never experienced any issues concerning the hardware limit.
@@DavidSondermann wasn't insinuating that it was a negative, just didn't want people to see Home Edition & think it would be heavily dumbed down vs the paid version. Been using it myself couple years with no issues
They're sold exclusively to companies only. Your average Joe can't purchase one. Not sure to what audience this video is intended for, but I'm assuming it isn't restricted to just enterprise.
@@Faithhh071 not really... you can buy it even as a private. If you got the money. Even a 400 series would cost thousands of dollars for the first three years and about another thousand every three years after.
You've explained the exclusion of OPNsense and its totally agreeable, but you've missed out Mikrotik as well. A number of companies, and even ISPs, use Mikrotik. Not that I'm a fan of Mikrotik or anything in fact I've not used any of their products and I use more of pfSense/OPNsense and Sophos XG, but I believe Mikrotik should have a place in the list just like Unify.
I don't know what you're smoking - Mikrotik have to be one of the worst router/firewalls i've used in my career. As per Lawrence, they're a steep learning curve, not technically, but just interface wise.. Vendors do/name things slightly different but Mirkotik take the cake when it comes to confusing the hell out of you... Good luck troubleshooting complex setups on them.
Good ole IPCop which is what IPFire is based on. Happy to see it's pretty active. I've moved to pfsense long time ago as I needed more enterprise like features.
I'm myself a IT Security Engineer. The Video was pretty good. Sadly no PaloAlto was in the comparison. Personaly i worked with the old Sophos UTM wich in my opinion had the best UI for new user. The new XG is a step but in the wrong direction. Therefore we switched to FortiGate wich are prety nice. My Homelab is based of a 80F. But the PaloAlto is kind of my favourite FW. And one thing i have to say, no FW sould have a mailfilter or reverseproxy because there are way better products like the Netscaler and the IronPort.
Netscaler are for big companies that has A LOT of stuff that people can access - and is mostly a thing of the past unless your are vendor locked-in and forced to host your own stuff. In today's space, most company should probably host their services on Azure/AWS/Google and benefit from their own netscaling infrastructures that no one can challenge.
I don't get why pf sense doesn't have any easy way to do content filtering. Even if it's paid the option would be nice. How come all the others can do it easily? I use sophos and that's the main reason why. They are reliable and can block a ton of apps.
I have been a home user of Untngle for a decade, but I am considering moving to pfSense. I would love a video going over how to plan a move like that with several VLANS, DHCP reservations etc.
You could move dhcp services to another device like a raspberry pi. You could do that temporarily to make the move easier. Or perhaps you acquire a second hardware device and that set it up and then cut over at some point, at which time you find out if you got all the settings right.
if we keep snort & suricata (sorry for spelling) off initially after setting up a pfsense, is that a risk? in other words, should one of them be at least enabled at all times? or is the default setup wizard completion at least offering a bit of protection until we have the time window to try one of those packages and have our internet go up and down while testing them? thanks in advance so much!!!!
I’m really surprised to see so few of the mainstream options listed, a few everyone should be aware of: Cisco ASA/Firepower, PaloAlto, Juniper, Check Point, WatchGuard, Barracuda and Sonicwall. The primary options in this video are really more suited for small offices.
Sophos is pretty rock solid. Prior to Sophos XG it had a very steep learning curve. I've used it since it was Astaro Security Gateway then Sophos UTM. I still have a few of the Astaro AP's.
I actually found the opposite. I had a hard time adjusting to XG as I was used to UTM's way of doing things, partly because I'd used it since v4, but also because UTM's setup felt like a GUI overtop of tools I'd already used managing Linux systems, which in some sense it was at least early on.
Long term Sophos/Astaro UTM User here. I finally migrated from UTM to XG in my Homelab environment and the first steps were pretty wonky for me. I adjusted to the new UI quickly and can't imagine going back to the olf UTM. Sadly I've got some problems with the XG lately. Daily mails about the log threshold/disk space. The VM has 150gb... My UTM worked with a 80gb SSD.
Sophos does support Let's Encrypt certificates, but just not for SSL/TLS inspection. Note that there are currently two actively supported versions of the Sophos firewall: UTM and XG (the latter of which is now referred to as SFOS or simply as "Sophos Firewall".) Everything else is correct.
Sophos's UTM does support LE directly from within the UI. XG (sfos) requires half assed scripts to get it to work. Ironically, UTM will no longer be sold after 6/2023 and going EOL entirely 6/2026. That's progress for you!
@@geepeezee5030 Sophos will be losing a lot of customers by eliminating the UTM. It's basically due to greed. They bought the competition (UTM was owned by Astaro) then killed it, after they bought XG which was owned by Cyberoam.
What about Firtinet NGFW? currently I am using pfSense but would like to move on with other FW as squid is no more supported. Our main use is to block all website and certain website group-wise, and allowed all websites to Management.
Due to more encryption being used today filtering at the firewalls for web traffic is more challenging than using a tool on the endpoint. We use Zoru for web filtering. Fortinet is a security mess th-cam.com/video/7sEI89FAD3c/w-d-xo.html
I started out with my pf flyers sneaker net firewall back in the 80's, you kids may not understand. I do not want to go back to those days, if was fun then but now, LOL no way.
Im looking at unifi udm pro, the se isnt worth the extra, i already have the poe injectors. I think udm pro is easier to setup etc than pfsense. The only thing i dont like about unifi is there slow at putting out patches and new features. I could virtualise pfsene i suppose.. aarrggh stuck between what to get now lol..
@@LAWRENCESYSTEMS Oh man that stings. That's all we use. Most of the larger businesses use it here in South Carolina. It's actually awesome but can get pricey.
@@LAWRENCESYSTEMS Which is why I am not using the router functions other than just switches which is perfect for my needs. It'll be nice to have if I need it. Oh, latest firmware lets you run containers! Crazy for a switch!
I'm using PFsense tried to block some websites such as TH-cam but not working using everything and PFblockng and firewall rules, could you explain why?
@@LAWRENCESYSTEMS I only ask due to whenever the topic of cyber insurance comes up at work they always try to check off features of our pfsense against the mythical NGFW 🙂
NGFW traditionally means the firewall functions at all layers, including layer 7 of the OSI model (the application layer...the highest layer). It should perform application-level filtering. That is traditionally what "next-gen" means, however, how each firewall accomplishes this varies from one company to the next. So the firewalls like Sophos/Untangle/Fortinet perform filtering at the application layer and can be considered next-gen firewalls as they can block network data on the application level.
It would seem from the listed criteria that this video is more focused on SMB or entry-level market - I didn't see positioning for this so apologies if I missed it. And nothing wrong with that. But there's a huge set of features missing here that relates to mid- and enterprise market. Many of the firewalls here would be removed from the chart for lack of support. Link performance metrics, vxlan, evpn, twamp, cgnat, hyperscale, sso, hardware switching, IPsec aggs, ztna, saml, wired and WiFi nac, dynamic cloud objects/SDN, dynamic mesh IPsec, etc. List goes on and on. So these need to be considered for the use case you need.
Also wanted to mention that the FortiGate supports the complete acme protocol, not just let's encrypt. Not sure about the other products. With recent murmurs from Google about wanting 90 day TLS certificate expiry, this is going to be a critical feature.
A few notes:
The Fortinet DOES have a reverse proxy (not just load balancer)
The Sophos DOES support Let's Encrypt for their web interface.
FortiGate can be run as a virtual machine.
What about Antivirus, Antispam, File Filter, SSL inspection, SD WAN, IPS that actually gets the job done? This is really limited list to only stuff that PfSense does.
You either did not watch the video or did not look at the comparison chart (probably both) because most of those features are on the list.
@@LAWRENCESYSTEMS multiWAN is not SD-WAN. Antivirus or Antispam is not mentioned at all.
The hard truth is that Open Source firewalls are really not that good when it comes to endpoint protection, from Antivirus, to content filtering, they are just too much to handle. Even then, they are not reliable.
IPS is covered, sorry about that. Although, IPS with SSL enabled is whole another story.
Multiple wan and sdwan is on there. So is the SSL inspection. Are you even looking at the same chart? For someone trying to make their point about "The Hard Truth" of Open Source, not reading the materials presented is not helping your credibility.
@SmoothOper4t0r You don’t need endpoint protection, thats what Cylance/Crowdstrike/Sentinel One is for. Same with the SEIM, let the soc handle it, but it as a service that just works and check it off your insurance form. Then get Threatlocker.
Great stuff! would love this to be an annual thing. Great reference!
Most wanted video for quite some time. Thanks Lawrence
Lol just fyi his name is Tom Lawrence.
4 minutes of disclaimers so Tom doesn't have to deal with, "why not xyz?"
... will still be asked, "why not xyz?".
Yes, but all those comments do help the YoutTube algorithm know that people find this content engaging!
Which is the best? Is it Sophos?@@LAWRENCESYSTEMS
@@josealfredfernandes The best one is the one that fits all your needs.
I was using pfsense for 5+ years and recently started having issues with rule schedules not blocking what I need to.
Switched to opnsense and was amazed - issues are gone and I live in 2023 now, not in 2000 pfsense web UI stuck into. Very happy with it and would say it is worth trying
Didn't realize the guis were that different. I haven't had any issues with pfsense yet, but I might spin up opensense just to see what I might be missing.
Am interested in a bit more specification if you don't mind. Maybe I'd have to look into this.
@@TheFibie007 i have some ips that should be restricted going outside based on schedule. I've created 2 rules - one to block always and another to allow on specific schedule. Its been working for years but latest update broke it. I've been using home Plus licence.
Rules just stopped working - schedule was ignored. The only way to enforce the rule was to reboot pfsense. Client wifi reconnection and even reboot didnt do anything. To illustrate, rule allows connection but client cant connect, pfsense rebooted - client can connect. Then rule does not allow connection but client still can connect even connecting to the lan after the disabling rule in effect, again pfsense reboot is the only way to enforce it
I actually prefer the pfsense ui. It seems more logically laid out, at least in my mind. Opnsense's ui is more "modern" looking but not necessarily better. On the same browser it is is slower to navigate between screens. Also, the gray colored font is harder to read than pf's more contrasting colors.
Regarding the scheduling issue, likely a pfsense bug that needs to be fixed. This is version 23.01. By 23.10 hopefully most bugs will be fixed. Learned a long long time ago to never update to the newest version right away. Give it at least 6 months before even considering testing it.
@@geepeezee5030 pfsense UI is usable, no doubt. I prefer opnsense UI but it's a personal taste.
I haven't upgraded straight away, gave it a couple of months from the release. Rather than reinstall I've decided to try opnsense and, as I've mentioned, not looking back
Really appreciate the run down. Comparing firewalls is hard at the best of times, happy you made this video. (The sheet could be a very useful resource in the future) 👍
I was kind of a long time user of pfsense, and still use it for old testing environments, but at one point I got a Mikrotik Router, that has served me very well for any needed advanced firewall configurations, as well as VPN endpoints.
RouterOS has a lot of good features inside.
Except when you need Ipsec VTI 😅
Thanks pal, great help on this topic!
Personally, I like Fortigate as a solid, easy to configure, affordable all-around FW for SMB and Large Enterprises. For home, while I would still prefer using Fortigate, I can see the use-case for PFSense if you need some common features that home users prefer like tailscale, wireguard, etc. With the small Fortigates being in the same price range as comparibly spec'd PFSense appliances, I usually just go for Fortigate in most scenarios. You only need to pay for licensing if you're looking to unlock Layer7 features.
The Fortigate does have WAF/reverse proxy. You can turn the feature toggle on for it to display the options in the GUI to configure it.
Yes, I updated the chart.
@@LAWRENCESYSTEMS FG also can run on VMs and containers.
@@DjRio0001 Yes, that was noted in the video under "Can Be Virtualized"
Great video Tom! I would add 2 things to the list:
1. API
2. OPENVPN With LDAP/AD integration (and bonus of the have 2FA
3. VxLAN
The reason I moved over to OPNsense from pfSense was because of API support for firewall rule and network automation and VxLAN. VxLAN support is definitely more nuanced, but I'm getting more involved in hyperconverged virtualization.
Yes, I don't like how often OPNsense updates either...
Line 24 covers #2 and API would be a debate on how functional that API is. VXLAN is not really used in the SMB space and rarely in the homelab space.
@@LAWRENCESYSTEMS Hi Tom, I was referring to the distinction between users in AD/LDAP Firewall appliance Login and users in AD/LDAP OpenVPN on the Firewall appliance Login. For example, in pfSense, i can set up LDAP as my authentication server and then get my LDAP users to log into OpenVPN running on the appliance and authenticating against the LDAP server. Can that be done in Unifi alliances?
Not sure how well that works with UniFI.
Actually I do prefer the speed of the updates, as well as all the other reasons mentioned, main reason why I also moved to opnSense, and assisted 3 companies in migrating to it coming from pfSense.
Long term Meraki user here, I even have 4 years and 299 days left on my licenses, but recently I moved to Pfsense. Main reason for ditching the Meraki MX64 firewall is that we've outgrown it. Being limited at 250Mbit on the WAN side is a 50% reduction of my internet speed (the ISP does give use a "free" speed increase every year or so). After having tested Pfsense as a VM on a Synology DS1621+ for a week, I bought the Netgate box. So last Friday I received my Netgate 6100 (with 4 years hardware support contract). Man am I blown away by it. Yes Meraki has some nifty features, though I don't think I'll miss them that much on our home network. Im quite certain the Netgate box will serve us well for the next few years.
Thanks for the video Tom, just a quick correction though, you might want to rename the 'Operating System' row to 'Kernel'.
Keep up the great work, I enjoy your videos a lot!
For the most part, the best firewall is the one you know how to configure well... No point having a $10000 firewall if you don't turn any of the features on!
Technically, Meraki does have the vMX, which you can run virtualized. However, most people tend to use the Meraki hardware. The vMX is mostly for Cloud environments.
a vMX is only capable of facilitating VPN connections
I've been using Untangle since it was a Windows app (yes, you read that correctly), and I absolutely love it. No product is without it's downfalls, but Untangle has been rock solid for me for at least 10 years. One of my production edge devices running Untangle is about 70 days away from 3yrs of uptime!
I do remember the demo app for Windows. For us, partners since version 5.01, I think back to 2007 or even 2006. A few years ago did a few writeups on Untangle for a few tech websites.
Had a LOT of them out there in production, however my view of UTMs being super important for businesses is easing up, I'm focusing more on PDNS now. Also not confident in the direction Arista is taking Untangle.
Same. Have used Sophos UTM, Sophos XG, pfsense and Untangle and ultimately Untangle NGFW (latest). Untangle the best of the bunch.
Great video. I would like some more info how you configure customer pfsense to vpn back to you and coordinate them all in regards to centralized management.
I'll make a video on that soon
I would like to see this too please!
Awesome! Love the shirt Tom.
I think MikroTik's RouterOS would've been a nice addition to the chart as well, just for all the homelab peeps.
I don't use them but they are inexpensive but also have a steep learning curve due to lacking documentation.
@@LAWRENCESYSTEMS @Lawrence Systems I agree. There's documentation, but it's really lacking in some regards. How to do specific things also changes from model to model due to differing underlying hardware sometimes, which isn't nice.
However, if all you need is a L4 firewall and router, they're extremely capable and, in comparison, quite cheap.
Nice Content, Thank you
Fortigate can run on your own hardware with the FortiGate VM
I surprised palo alto didnt make the list
Yes I agree. They are a major player in the market.
Checkpoint and Juniper for the big world 😂
Looking at the brands I’d say these are the small business options.
@@taetschmeischter yep I truly love Juniper, IBM, HP Aruba and Cisco switches and Firewalls. Sophos and Fortinet are okay(though lots of Fortinets are not upgraded, so really easy to hack with MeraSploit. Unify has a great interface. PfSense is really complete and easy to install. The rest I don’t really know. So I will find out in this video. Haven’t started watching yet.
Don’t use NetGate appliances for your firewalls. Use Quad or Octo Xeon CPU’s in your datacenters or Cisco 9300 series. Or Juniper SRX series. As soon as you go above 40 GBPS throughput, your speeds will suffer enormously. Made that mistake once at a client, who asked me to take a cheaper approach than the Cisco switches and firewalls I had in my first offer.
The firewall rule based on AD would actually be a great future feature for pfSense. Hopefully it is something we will see down the road.
After the central management feature :)
@@Traumatree cloud management, the. LDAP
@@Traumatree If they did this i would sell boatloads, but now with 20 or so in the wild its just too much to manage...
to the Sophos - I loved their old SG (Astaro-ish) Version that were a dream to work with. Now I'm doing XG and I hate it. They also charge for Updates now, even if I have already got the Network Protection licence for 5y, they now want me to pay extra. As it's an Intel based XG230, I will reinstall it with opnsense or just plane arch linux.
Thank you so much for your help ❤🎉
kind of irrelevant question but when you use pfsense (OPNsense and others)do you always have to turn the ISP's modem-router to bridge mode in order to pass through the connection to your custom machine running pfsense behind it? .Specially nowadays that all connections have voip it is even more difficult to do so, since many providers (at least in my country all of them) don t provide voip credentials to set it up your own. So you end up with double NAT and pfsense sees the internal ip address as the public one.
On the other hand I don t think pfsense can act as a standalone modem so it needs one in front. Am I right?
Thank you
yes these are all firewall solutions not modems. To connect a modem you either do a double NAT or put the modem in bridge mode. Decent modems can do bridge mode or can be put in bridge mode by the ISP if you ask them
@@marcogenovesi8570 Thanks for the reply but (ahahah) you seem to have way more helpful ISPs there than us here in Greece (they act like a different government and try anything but to help client)
if we are talking SMB .. those are ok, I even consider to use OPNsense or ever zentyal... but for more complex clients (like manage a lot of FW, or do some specials things, etc) we are talking about Palo alto, checkpoint , fortinet, cisco ASA,etc .. BTW: fortinet is unix like, not consider as linux ( cause it have its own kernel for their soc).
This. Especially the first three you mentioned. I am not sure if I'd consider ASA at the same level as the other three tho.
@@tbard PAN is the way to go for enterprise level NGFW.
@@bx1803 that'd be my choice too, I'm a PCNSE myself, but I do consider Fortinet a close second among the ones I had to work with. And there are some fringe cases where I'd rather pick Fortigate.
How's IPv6 support on these - is the firewall / application filtering / ... at feature parity, or is it nonexistant? Internet suggestions are that Untangle isn't very good on this side, and other than pfSense / OPNsense being essentially at feature parity I'm not sure about the others.
I never have to use IPv6 so I didn't put it on the list.
OPNsense works well with IPv6 on my admittedly small network. If you have or need IPv6 I suggest avoiding OpenWRT. You will probably not have a good experience.
The difference in UI was a good chunk of the reason I chose OPNsense over pfsense.
It's missing Cisco Firepower (FTD), the new version 7.3 has some really neat features like EVE (Encrypted Visibility Engine), which allows the device to watch for malware within encrypted traffic without the need to decrypt it.
What's your thoughts on the extra advanced threat/malware detections feature that some firewalls are preaching? Is there something similar to pfsense?
Would be interested in seeing how you used vpns for reliable remote access to firewalls. I have a few hundred pfSense firewalls in the wild. Managing them has been a chore.
The thing that seems hard to find is decent reporting - I want to know how much data each of my devices is using, and also break it down by major apps [eg, 100GB of netflix, 80 of which from this device, 20 from that device). I made the mistake of buying a sophos XGS 87w and finding that it does not do local reporting and the cloud reporting is lacking - the fan also is way too loud from home. It lasted about 7 weeks before being packed back in its box never to be used again. Currently trying pfsense on an old Dell sff pc - and meh; BandwidthD cna give totals per device, but nothing about apps, darkstat doesn't seem useful at all and ntopng is complicated and not convinced it's going to gimme what I want.
Some of the options (like Arista) I'd never even heard of before so gives me something to look at anyway
I purchased a Mikrotik router about 30 days ago, absolutely horrible documentation, never did figure it out, am now switching to pfsense so much support unbelievable.
There actually is a virtual option for Meraki! Meraki vMX, for 'private cloud' it looks like you need Cisco NFVIS. Looks like hot trash, but thought I'd mention it. Great stuff Tom.
Meraki vmx only does vpn.
@@MoD_Master_Of_Disaster_ Oh really? When I last deployed one I swear you could run it in NAT mode and it behaved like any other MX. It's been a minute though.
You are looking good! Did you do something to your hear?
Love your videos Tom! I would love to see a video where you talk about the difference in the security architecture of something like Snort or Suricata with PFSense, versus ATP+UTM services provided by companies like Fortinet, Sophos, Meraki, Sonicwall, Palo Alto, etc. I am just getting back into PFSense after a few years off, and I'm honestly wondering how far things have come to make open-source(ish) firewalls more like "NGFW" systems that always have paid licenses, or things like Sophos Endpoint.
The closed source companies are using the same tool such Suricata and Snort, they just manage them for you.
@@LAWRENCESYSTEMS Ok thanks. I did a lot of searching and reading about that before watching your video here, but I could not find anything. If you know where I can read or watch any videos about that I would love some links or recommendations!
@@radiowolf80211 Cisco owns Snort so that connection is easy, UniFi uses Suricata, there is not really any documentation other than when people SSH into these devices.
Fortigates can do reverse proxy as well as waf. I run a have a Fortigate running a reverse proxy in my house right now.
Interesting all I found in their documentation was https load balancing which is not exactly the same as a reverse proxy.
@@LAWRENCESYSTEMS Haven't they all started to rename reverse proxies to load-balancers because it sells better? Technically load-balancers are just glorified reverse proxies.
@@LAWRENCESYSTEMS virtual servers is there branding around that feature i admit it’s not clear at first glance
I updated the chart
It is now 2 years that I handle and manage FortiGate. I can say it can fulfill all the requirements of a business in a country level. Love this firewall
I have a question about PFSense and Unifi. I took your advice from watching you video's and ordered a Netgate 4100 Max and I want to order some Unifi switch, access points and cameras. I want to also order a Dream Machine SE to make it easier to control the cameras for home use. Would you recommend using a Dream Machine with PFSense or would you recommend using a different solution to control and capture video for my cameras?
We've gone from pfSense -> Sophos XG -> FortiGate and the only addition I have to make that wasn't mentionrd is that Sophos' GeoIP filtering is entirely non-functional. They only support it in combination with their WAF (which is imo the main usecase) by doing a fake-NAT and it doesn't work at all. IPs show as an allowed country in the logs but are still blocked / matched by the NAT rule. Plus, the fact you have to use a fake NAT at all is hard to document and log. It's clearly a workaround and like I said - it also just doesn't work at all. No such issues or workarounds at all on the FortiGates
This was an issue, which is already fixed within the System of SFOS. So if you block a Country, you can do it by using a firewall rule and block the access. If you have a WAF or Service, you need the NAT Rule, but it still blocks the traffic and logs this traffic accordingly.
This was a nice breakdown! I've used Meraki a few years ago and it was very 'hands off, you tech, leave it to us!' - which was frustrating.
I've been on IPFire for several years now and think it would be great firewall to have on your next roundup. I cannot speak to it's viability in terms of business usage, as I use it for my home network, but would be surprised it if would not hold it's own.
Not likely that I will use it as it does not offer any compelling features over pfsense.
Thank you for the video
Curious on your take of Araknis Networks Routers, I use them at smaller clients setups
Good price point, super nice builds, 2 year hardware warranty lifetime support and firmware updates with no license fees at all
I usually get the full suite, Router, Switches, AP's and it works with OvrC a web based control portal for free, there are no monthly's on anything Araknis, which I and my clients appreciate.
I really like working with Meraki but you have to prepare yourself (or at least management for the ongoing licensing costs.
Informative video... however, we use Sonicwall.
At work, we use Meraki and Fortinet. At home, I use pfSense with custom hardware. I can't fault any of the three in terms of the product itself. Meraki is very easy and straightforward to use, we have all of our clients in one place and it's very easy to manage. Fortinet is more of a pain to manage but the firewall itself is very solid. It's easy to setup any type of VPN the units support as well. Tying either Meraki or Fortinet to AD for Auth is also very easy.
I will say that I prefer pfSense but that's just me.
Great review Tom, very informative, thanks.
I just upgraded my home internet connection to 3Gbps, and have been thinking about upgrading my firewall(NetGate xg7100) to add 10G support. I really like the netgate products, but they don't seem to have a solution. So either I buy a 10G switch and media converter(since the xg7100 doesn't support copper sfp+ modules) or upgrade the firewall. Curious to hear your recommendation.
I personally like your shirt
Thanks for this!
My employer has always purchased meraki direct though CDW / Insight so I don't know if they are going awound MSPs. The license seems to also be a support agreement as they have replaced dead APs with newer models a few times.
Meraki is not allowed to sell directly, if a rep were to reach out to a customer, it is likely because the reseller is being negligent and not communicating. Controversial topic but the bottom line is; communication fixes all.
I didn't realize that Untangle is owned by Ariasta, I only really knew them fro their datacenter grade switches.
i just wanna mention that the Sophos Home edition is only hardware limited (4cores & 6gb ram) you still get the entire software package free
True but it really doesn't matter in a home environment. I got over 250 clients in my network, about 40VLANs, 50ish rules, static routing, RED Connection to my cloud hosted XG, 10/40Gbit networking and I've never experienced any issues concerning the hardware limit.
@@DavidSondermann wasn't insinuating that it was a negative, just didn't want people to see Home Edition & think it would be heavily dumbed down vs the paid version. Been using it myself couple years with no issues
Is this comparison spreadsheet available somewhere
Happy with Untangle/Arista for my customers since years and yes some parts are to be paid for the full version but you can choose not to.
Eyyyy perfect timing TY
I like the pfsense plusv feature to import openvpn client config😉
24:07 where is the chart? Please and thank you
In the description
No Palo Alto?
Average person can't get one
They're sold exclusively to companies only. Your average Joe can't purchase one. Not sure to what audience this video is intended for, but I'm assuming it isn't restricted to just enterprise.
It's very expensive even for businnesses.
@@Faithhh071 not really... you can buy it even as a private. If you got the money. Even a 400 series would cost thousands of dollars for the first three years and about another thousand every three years after.
@@tbard you can also just spin up a payg palo vm in most clouds...
Cannot wait for you to try Palo Alto firewalls!
You've explained the exclusion of OPNsense and its totally agreeable, but you've missed out Mikrotik as well. A number of companies, and even ISPs, use Mikrotik. Not that I'm a fan of Mikrotik or anything in fact I've not used any of their products and I use more of pfSense/OPNsense and Sophos XG, but I believe Mikrotik should have a place in the list just like Unify.
I don't use them but and their steep learning curve and lack of documentation does not make me want too.
I don't know what you're smoking - Mikrotik have to be one of the worst router/firewalls i've used in my career. As per Lawrence, they're a steep learning curve, not technically, but just interface wise.. Vendors do/name things slightly different but Mirkotik take the cake when it comes to confusing the hell out of you... Good luck troubleshooting complex setups on them.
I use ipfire and it so far is solid and smooth.
I was going to do a April fools videos reviewing one of the really old firewall distros I used to use but I ran out of time.
Good ole IPCop which is what IPFire is based on. Happy to see it's pretty active. I've moved to pfsense long time ago as I needed more enterprise like features.
I'm myself a IT Security Engineer. The Video was pretty good. Sadly no PaloAlto was in the comparison. Personaly i worked with the old Sophos UTM wich in my opinion had the best UI for new user. The new XG is a step but in the wrong direction. Therefore we switched to FortiGate wich are prety nice. My Homelab is based of a 80F. But the PaloAlto is kind of my favourite FW. And one thing i have to say, no FW sould have a mailfilter or reverseproxy because there are way better products like the Netscaler and the IronPort.
Netscaler are for big companies that has A LOT of stuff that people can access - and is mostly a thing of the past unless your are vendor locked-in and forced to host your own stuff. In today's space, most company should probably host their services on Azure/AWS/Google and benefit from their own netscaling infrastructures that no one can challenge.
I don't get why pf sense doesn't have any easy way to do content filtering. Even if it's paid the option would be nice. How come all the others can do it easily? I use sophos and that's the main reason why. They are reliable and can block a ton of apps.
It has Zenarmor now.
I have been a home user of Untngle for a decade, but I am considering moving to pfSense. I would love a video going over how to plan a move like that with several VLANS, DHCP reservations etc.
There's no one to one transfer and are you using the web filtering on Untangle? There is no good equivalent in pfsense.
@@LAWRENCESYSTEMS use pihole for this.
You could move dhcp services to another device like a raspberry pi. You could do that temporarily to make the move easier. Or perhaps you acquire a second hardware device and that set it up and then cut over at some point, at which time you find out if you got all the settings right.
Would've loved to see OPNsense. Also, sadly there's no automation capability comparison.
what about WatchGuard? :-) I actually use their deprecated hardware for pfSense for a while
The FortiGates can also use its Let’s encrypt certificate for its SSL VPN and the VPN Webportal which is great
if we keep snort & suricata (sorry for spelling) off initially after setting up a pfsense, is that a risk? in other words, should one of them be at least enabled at all times? or is the default setup wizard completion at least offering a bit of protection until we have the time window to try one of those packages and have our internet go up and down while testing them? thanks in advance so much!!!!
Leaving then off is fine
Great video. I honestly think Unifi is the easiest vpn but I do use that the most. Next up would be PFsense
Their site to site is, their user VPN is lacking
@@LAWRENCESYSTEMS agree, UID is much easier . But most people won’t sign up for that and is a lot more steps
@@LAWRENCESYSTEMS have u tried UID?
cisco ASA ?
Another nice column would be log output format like CEF over Syslog etc
Great vidéo! What did you think about Mikrotik?
That they have a steep learning curve and lacking documentation
Thanks for the review. Any chance you ever so a review of antivirus that works well with this?
I think you are asking about firewall based AV and I am not aware of any that are effective.
Great video!
would be good to see SAML/SSO support :p
It would be awesome if you could please do a video on Twingate as well, I am curious to know what you think. Thank you.
I don't really have any interested in Twingate, closed source VS TaialScale which is open source, more transparent, and has better documentation.
For the SMB, I feel you are missing the boat by not including WATCHGUARD.
I’m really surprised to see so few of the mainstream options listed, a few everyone should be aware of:
Cisco ASA/Firepower, PaloAlto, Juniper, Check Point, WatchGuard, Barracuda and Sonicwall.
The primary options in this video are really more suited for small offices.
Fortinet, Sophos XG and even Meraki and not only "more suitable for small offices"
Barracuda? 💀💀💀
Sophos is pretty rock solid. Prior to Sophos XG it had a very steep learning curve. I've used it since it was Astaro Security Gateway then Sophos UTM. I still have a few of the Astaro AP's.
I actually found the opposite. I had a hard time adjusting to XG as I was used to UTM's way of doing things, partly because I'd used it since v4, but also because UTM's setup felt like a GUI overtop of tools I'd already used managing Linux systems, which in some sense it was at least early on.
Switching to sophos XG from Meraki has been a very bad experience for us
Same. SG interface and features still better than the XG
Long term Sophos/Astaro UTM User here. I finally migrated from UTM to XG in my Homelab environment and the first steps were pretty wonky for me.
I adjusted to the new UI quickly and can't imagine going back to the olf UTM.
Sadly I've got some problems with the XG lately. Daily mails about the log threshold/disk space. The VM has 150gb... My UTM worked with a 80gb SSD.
Sadly the UTM is EOL now. The XG Webinterface is trash
Curious what the SMB uptake is for Firewalla (Understand why it's not here - I watched the video :))
I have links to reviews in the description, I really feel it's a consumer product and I find it odd that it uses a phone app for management.
Sophos does support Let's Encrypt certificates, but just not for SSL/TLS inspection. Note that there are currently two actively supported versions of the Sophos firewall: UTM and XG (the latter of which is now referred to as SFOS or simply as "Sophos Firewall".) Everything else is correct.
Sophos's UTM does support LE directly from within the UI. XG (sfos) requires half assed scripts to get it to work. Ironically, UTM will no longer be sold after 6/2023 and going EOL entirely 6/2026. That's progress for you!
@@geepeezee5030 Sophos will be losing a lot of customers by eliminating the UTM. It's basically due to greed. They bought the competition (UTM was owned by Astaro) then killed it, after they bought XG which was owned by Cyberoam.
Meraki can be virtualized using their vMX service.
What about Firtinet NGFW? currently I am using pfSense but would like to move on with other FW as squid is no more supported. Our main use is to block all website and certain website group-wise, and allowed all websites to Management.
Due to more encryption being used today filtering at the firewalls for web traffic is more challenging than using a tool on the endpoint. We use Zoru for web filtering. Fortinet is a security mess th-cam.com/video/7sEI89FAD3c/w-d-xo.html
I started out with my pf flyers sneaker net firewall back in the 80's, you kids may not understand. I do not want to go back to those days, if was fun then but now, LOL no way.
Hi Tom, can you do a review on Zenarmor on Pfsense?
Nope, not something I plan on using
Im looking at unifi udm pro, the se isnt worth the extra, i already have the poe injectors.
I think udm pro is easier to setup etc than pfsense.
The only thing i dont like about unifi is there slow at putting out patches and new features.
I could virtualise pfsene i suppose.. aarrggh stuck between what to get now lol..
Is Checkpoint not on the list?
I never see them anymore.
@@LAWRENCESYSTEMS Oh man that stings. That's all we use. Most of the larger businesses use it here in South Carolina. It's actually awesome but can get pricey.
No MikroTik on the list Lawrence?
Nope, they have a good price but steeper learning curve and lacking documentation.
@@LAWRENCESYSTEMS Which is why I am not using the router functions other than just switches which is perfect for my needs. It'll be nice to have if I need it. Oh, latest firmware lets you run containers! Crazy for a switch!
@@LAWRENCESYSTEMS They now do have documentation I believe, but Mikrotik excel more as router than firewall.
I'd be interest to hear your thoughts on Palo Alto Networks products.
They work well
No Palo ?
I'm using PFsense tried to block some websites such as TH-cam but not working using everything and PFblockng and firewall rules, could you explain why?
i like watchguard!
and pfsense
IDS/IPS, Content Filtering, DNS filtering, GeoIP filtering
So what features do they need to add to consider these as NGFW?
NGFW is whatever marketing says it is.
@@LAWRENCESYSTEMS I only ask due to whenever the topic of cyber insurance comes up at work they always try to check off features of our pfsense against the mythical NGFW 🙂
NGFW traditionally means the firewall functions at all layers, including layer 7 of the OSI model (the application layer...the highest layer). It should perform application-level filtering. That is traditionally what "next-gen" means, however, how each firewall accomplishes this varies from one company to the next. So the firewalls like Sophos/Untangle/Fortinet perform filtering at the application layer and can be considered next-gen firewalls as they can block network data on the application level.
What firewall do you recommend for a PPPoe 3Gbps+ fiber connection?
I never use PPPoe so I don't have any suggestions
@@LAWRENCESYSTEMS Thank you for your reply. I know Pfsense supports it but its not quick since its a single threaded process.
It would seem from the listed criteria that this video is more focused on SMB or entry-level market - I didn't see positioning for this so apologies if I missed it. And nothing wrong with that. But there's a huge set of features missing here that relates to mid- and enterprise market. Many of the firewalls here would be removed from the chart for lack of support. Link performance metrics, vxlan, evpn, twamp, cgnat, hyperscale, sso, hardware switching, IPsec aggs, ztna, saml, wired and WiFi nac, dynamic cloud objects/SDN, dynamic mesh IPsec, etc. List goes on and on. So these need to be considered for the use case you need.
Also wanted to mention that the FortiGate supports the complete acme protocol, not just let's encrypt. Not sure about the other products. With recent murmurs from Google about wanting 90 day TLS certificate expiry, this is going to be a critical feature.
I look forward to getting everyone on the 90 day certs and supporting ACME.
@@LAWRENCESYSTEMS in 2 minds about this, there's a lot of stuff that have convoluted certificate management - SAP especially comes to mind here.
Excellent video and perfect timing. We are considering a new firewall.
What is the actual Sophos product please Tom? A few minutes of looking round their impenetrable website has left me none the wiser!
www.sophos.com/en-us/products/next-gen-firewall
Why let's encrypt is NO for Sophos? It is supported
When I had first did a Google search and asked Christian Lempa he had said now, but I did find it in the documentation so I fixed it in the chart.
I love OPNSense is really equivalent to pfSense, both used in a commercial environment
And a bit biased because it is a Dutch product 8-)