Buy or not a SG-8860?

marcelovvm · Jan 18, 2020, 10:03 PM

Dear friends,

I have the opportunity to purchase a SG-8860 1U at a good price. I live in Brazil and importing the XG-7100 is VERY expensive! So I found the opportunity to buy SG for 4X less than XG. However my question is whether the SG will meet my needs:

150 internet users (browser, email, downloads, etc.);
main internet link is 100Mbits;
the secondary link is 50Mbits;
we use VPN (OpenVPN) with a maximum of 10 simultaneous users;
internal redirection for access to a web system (IIS .Net) for a maximum of 5 simultaneous users;
enable IPS/IDS in near future;

Does SG-8860 support this scenario?

Netgate still intends to support SG (new versions of PFSense are compatible) for how long?

Live long and prosper,
Marcelo Magalhães

NollipfSense · Jan 18, 2020, 10:53 PM

It seems that you could get some use out of it in the short run (maybe two years). Not sure how taxing on the system with 8GB memory would ten simultaneous OpenVPN users be, plus the proposed IPS/IDS...the only way to know is try. It should be able to handle pfSense v2.5...so, based on the price, I would go for it!

stephenw10 · Jan 18, 2020, 11:22 PM

Should be no problem handling that. There are no plans to discontinue support for it I'm aware of.
You might want to check if it has ever been returned to us for repair.

Steve

marcelovvm · Jan 18, 2020, 11:51 PM

I understand, but I find it difficult to find out if it has already been repaired. I am in Brazil and in my city there is no technical assistance from Netgate (do I even know if in Brazil there is?). I even have his serial number: 1104170751. Can I even know if it is refurbished?

johnpoz · Jan 18, 2020, 11:55 PM

They are very helpful without a support contract for basic sorts of questions, how to recover from crashed system, that sort of thing, etc.. ... Just open a ticket, and ask has this been repaired by netgate.. Not sure why they would with hold such info? They sure prob wouldn't give you any details of what or when or by who, etc. But a yes no to has it been repair I would think they would be willing to answer.

stephenw10 · Jan 19, 2020, 12:07 AM

That unit has never needed to come back to us as far as I can see.

Steve

marcelovvm · Jan 19, 2020, 12:10 AM

I know the equipment is used but is working. But, It is complicated to know if he has already been repaired. In fact my first concern is if the equipment meets my needs, because if it doesn't, I don't see any other option than to "mount a PFSense Box" (buy a board, CPU, memory, etc.). Because the value of importing an XG-7100 far exceeds my budget!

marcelovvm · Jan 19, 2020, 3:59 PM

@stephenw10 Tks! Steve. This is a good intel!

NollipfSense · Jan 19, 2020, 3:59 PM

@marcelovvm It seems that you'll be the new owner of an SG-8860...congrats! After purchase if your leftover budget can allow a support contract, I would take it.

marcelovvm · Jan 19, 2020, 5:28 PM

@NollipfSense I haven't bought it yet, because I'm in doubt if the hardware will be able to support my needs. But for sure if you have a budget left, Netgate support will always be of great value! tks!

johnpoz · Jan 19, 2020, 8:14 PM

8860 could for sure handle the amount of traffic you have described.. 150mbps of traffic - don't even think it would break a sweat ;)

What exactly are you planning on doing with IPS/IDS? To be honest with the amount of https actual useful anything with it is becoming more difficult... I would think you might have use for it with traffic to your servers behind, but you would really need to do the offloading of the SSL, and then traffic through IPS... Kind of hard for IPS to find signatures of bad traffic if all it can see is the outer encrypted shell of https.

marcelovvm · Jan 19, 2020, 10:58 PM

@johnpoz I agree ... in the past we tried to implement IPS, in a simple way
, and found that 70% of our traffic was https and therefore could not be analyzed (and even blocked). So we started with an endpoint solution (Sophos) that can analyze / block https traffic. And this is how we control outgoing traffic.

johnpoz · Jan 20, 2020, 3:44 PM

Ok then you don't even have the extra overhead of running ips on your firewall.. So for your amount of traffic and other minor requirements.. A 3100 would be more than enough, a 5100 would be a rocketship.

marcelovvm · Jan 20, 2020, 3:44 PM

@johnpoz Hi John... but the target device I'm looking to buy is the SG-8860-1U... not the SG-3100... even this one, the 3100, is very expensive in Brazil ... twice the SG-8860-1U.

NollipfSense · Jan 20, 2020, 4:07 PM

@marcelovvm I think he was telling that as comparison in handling...don't delay...grab that SG-8860 now!

johnpoz · Jan 20, 2020, 5:02 PM

^ exactly! ;) if you found a 8860 at a price point you are happy with - snag it! ;)

its prob overkill to be honest, but if your happy with the price..

I have a 4860 on my home network - it is for sure way more than what is required.. But go big or go home works for me ;)