Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate 1100 compared to Zyxel USG 100 Flex

    Scheduled Pinned Locked Moved Firewalling
    18 Posts 3 Posters 937 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      Firewalldude89
      last edited by Firewalldude89

      Hi all

      In your opinion and insight, do you think an Zyxel USG Flex 100 is more secure than
      Netgate 1100 or maybe 2100?

      https://www.itpro.com/security/unified-threat-management-utm/359220/zyxel-usg-flex-100-flexible-gateway-security

      Am thinking about among other functions like SSL Inspection, could Zyxel be better on that than Netgate? Can get Zyxel for 340-360 US dollars with 1 year UTM license.

      And also Fortigate 40C without license for but it does have SSL Inspection function without license.

      Which Firewall would you choose?

      M 1 Reply Last reply Reply Quote 0
      • M
        michmoor LAYER 8 Rebel Alliance @Firewalldude89
        last edited by

        @netgate1100guy
        Yes...Maybe No...The answer for sure is possibly.

        Firewall: NetGate,Palo Alto-VM,Juniper SRX
        Routing: Juniper, Arista, Cisco
        Switching: Juniper, Arista, Cisco
        Wireless: Unifi, Aruba IAP
        JNCIP,CCNP Enterprise

        1 Reply Last reply Reply Quote 0
        • F
          Firewalldude89
          last edited by

          Yeah, depends on what functions you need, I need to inspect encrypted traffic and stop invisible threats among other things.

          H 1 Reply Last reply Reply Quote 0
          • H
            heper @Firewalldude89
            last edited by

            @netgate1100guy said in Netgate 1100 compared to Zyxel USG 100 Flex:

            inspect encrypted traffic and stop invisible threats among other things.

            inspecting encrypted traffic is illegal in a lot of countries
            what are invisible threats?

            F 1 Reply Last reply Reply Quote 0
            • F
              Firewalldude89 @heper
              last edited by

              @heper That also depend on if its a company or just a private user.
              There is a hacker who uses VPN to hack me, encrypted traffic.

              H 1 Reply Last reply Reply Quote 0
              • H
                heper @Firewalldude89
                last edited by

                @netgate1100guy said in Netgate 1100 compared to Zyxel USG 100 Flex:

                There is a hacker who uses VPN to hack me, encrypted traffic.

                what does that even mean ? how would you be able to mitm them if you don't know them?

                F 1 Reply Last reply Reply Quote 0
                • F
                  Firewalldude89 @heper
                  last edited by

                  @heper VPN or virtual private tunnel, can seem like youre in other countries. I know who it is, Squid Guard alone does help, MITM seems to complicate things..

                  H 1 Reply Last reply Reply Quote 0
                  • H
                    heper @Firewalldude89
                    last edited by

                    @netgate1100guy said in Netgate 1100 compared to Zyxel USG 100 Flex:

                    squid Guard alone does help, MITM seems to complicate things..

                    how would squidguard help with any remote "hacking" and vpn's ?

                    are you sure you understand what is happening?

                    F 1 Reply Last reply Reply Quote 0
                    • M
                      michmoor LAYER 8 Rebel Alliance
                      last edited by

                      If you really want to do MITM [SSL decryption] then PF isn't the platform to do it in. Squid is just not a very good or supported feature.
                      I can't speak to Zyxel
                      Fortigate has numerous CVEs and a poor track record of discolsing vulnerabilities. Its a shady company in my opinion.
                      Before going the SSL Decrypt route you need to think long and hard about what is trying to be achieved. Much rather focus on endpoint protection than having the firewall take on the task but thats just me.

                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                      Routing: Juniper, Arista, Cisco
                      Switching: Juniper, Arista, Cisco
                      Wireless: Unifi, Aruba IAP
                      JNCIP,CCNP Enterprise

                      F 2 Replies Last reply Reply Quote 0
                      • F
                        Firewalldude89 @heper
                        last edited by

                        @heper SquidGuard and/or Suricata or Snort blocks numerous IP-addresses all the time.
                        Am not so advanced user on this, but there is hacking going on for sure.

                        Well, SquidGuard doesnt decrypt and Squid may not be great for SSL Inspection compared to Zyxel.

                        Want to become expert on this (am quite newbie).

                        1 Reply Last reply Reply Quote 0
                        • F
                          Firewalldude89 @michmoor
                          last edited by

                          @michmoor I see you use many advanced devices. Have understood that Palo Alto is good at decryption but are also expensive. Zyxel should be much better than PF, Zyxel model is from 2020.

                          H 1 Reply Last reply Reply Quote 0
                          • H
                            heper @Firewalldude89
                            last edited by

                            @netgate1100guy

                            i just read parts of your other posts about the same thing....

                            you don't appear to take advise very well, but i'll give it another go.

                            • squidguard does nothing against some external hacker

                            • ssl inspection in general does not work when dealing with devices that you do not own/control

                            • snort / surricata does not do what you think they do.

                            • there are no firewalls/utm from any brand that can unencrypt data or somehow protect you from devil vpns

                            F 1 Reply Last reply Reply Quote 1
                            • F
                              Firewalldude89 @heper
                              last edited by

                              @heper Hi, okay.

                              Thanks very much another try.

                              Well, SquidGuard does block IP-addresses (but it does often block my own as well),
                              which is a config issue I guess.

                              So SSL Inspection or even Netgate 1100-2100 cannot protect against a malicious VPN hacker?
                              What can protect me then? Live a life without internet maybe?

                              Probably not, you have been here since 2010 so you should understand it far better
                              than me.

                              Well with SSL Inspection, traffic is decrypted, inspected and blocks any detected threats
                              and traffic package is re-encrypted again before it reaches the computer. Am I correct here?

                              H 1 Reply Last reply Reply Quote 0
                              • H
                                heper @Firewalldude89
                                last edited by heper

                                Am I correct here?

                                no

                                Well, SquidGuard does block IP-addresses (but it does often block my own as well), which is a config issue I guess.

                                squidguard only blocks traffic from your computer towards the internet. it has nothing todo with traffic from the internet to your computer.

                                What can protect me then? Live a life without internet maybe?

                                life without internet would be great. one could only hope.
                                hunting for dodo's while running away from a t rex would be amazing

                                Well with SSL Inspection, traffic is decrypted, inspected and blocks any detected threats
                                and traffic package is re-encrypted again before it reaches the computer.

                                as i've said before SSL mitm inspection will only work with computers that you own or control.
                                you can not do SSL mitm inspection on devices that are outside your network

                                F 1 Reply Last reply Reply Quote 0
                                • F
                                  Firewalldude89 @heper
                                  last edited by

                                  @heper Hi and thanks.

                                  This helped much. What can effectively block malicious traffic from the internet to
                                  my computer? DNS Filter? Any other PF package as well.

                                  In general, what PF packages can protect against hacking?

                                  1 Reply Last reply Reply Quote 0
                                  • F
                                    Firewalldude89 @michmoor
                                    last edited by Firewalldude89

                                    @michmoor Hi

                                    What PF packages can protect against hackers? DNS Filter?
                                    Does SquidGuard or Squid do anything against hacking? (according to heper it doesnt)

                                    Will using 1.1.1.1 from cloudflare give protection?

                                    Any kind of software, equipment or technology you know.

                                    M 1 Reply Last reply Reply Quote 0
                                    • M
                                      michmoor LAYER 8 Rebel Alliance @Firewalldude89
                                      last edited by

                                      @netgate1100guy said in Netgate 1100 compared to Zyxel USG 100 Flex:

                                      What PF packages can protect against hackers?

                                      Security is overall complicated and the solutions are varied. The most important thing is what you do. For home use, keep inbound ports closed on the WAN side. Keep user machines updated with the latest A/V.
                                      If possible, put up some VLANs between your IoT devices and your desktops/laptops.
                                      Basic security hygiene will prevent the majority of issues.

                                      As pointed out MITM is complicated enough for businesses so why do it in a home environment where there is little to no benefit?

                                      Firewall: NetGate,Palo Alto-VM,Juniper SRX
                                      Routing: Juniper, Arista, Cisco
                                      Switching: Juniper, Arista, Cisco
                                      Wireless: Unifi, Aruba IAP
                                      JNCIP,CCNP Enterprise

                                      F 1 Reply Last reply Reply Quote 0
                                      • F
                                        Firewalldude89 @michmoor
                                        last edited by

                                        @michmoor Cloudflare DNS has inherent firewall service so it seems good to use
                                        (DDoS protection) and now I use link local IP address for IPv6 and that might help since its local.

                                        Because there are other ways to block hackers than just MITM or SSL Inspection.

                                        1 Reply Last reply Reply Quote 0
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.