What to compare to?
-
What would you guys compare pfSense to? If you were to say Cisco, would it be an ASA? ASR? ISR? Juniper SRX? We've been using pfSense for several years at any client's site that needs anything more than just a basic box. We've recently been contracted by some new developments for established large business and need to put routers and infrastructure in place. They are requiring Content Filtering, AV, IPS, etc. I can do pretty much anything with pfSense except good content filtering. SquidGuard isn't good for HTTPS and there is development for e2Guardian but I'm not comfortable with it enough to put it into production. I'd really want to deploy something like the XG-2758 but there just isn't solid UTM. Squid and it's AV works and Suricata is great. Content Filtering, not so much. So where does everyone see pfSense comparing?
-
ASR sure doesn't do anything more than routing, with possible ACLs to have it as a somewhat of a firewall. Juniper SRX - doesn't do any of the sort of content filtering, etc.
To be honest to run a true content filtering system you should really use a device/software designed for that specific feature. Zscaler, Websense, Bluecoat all come to mind as full fledged content filtering.
The right tool for the right job.. Once you get past the small smb will not find everything combined into a single UTM ;) Pfsense for sure has place in enteprise setups - but to think it should be able to do the job of multiple specialized pieces of hardware/software is not realistic..
-
ASR sure doesn't do anything more than routing, with possible ACLs to have it as a somewhat of a firewall. Juniper SRX - doesn't do any of the sort of content filtering, etc.
To be honest to run a true content filtering system you should really use a device/software designed for that specific feature. Zscaler, Websense, Bluecoat all come to mind as full fledged content filtering.
The right tool for the right job.. Once you get past the small smb will not find everything combined into a single UTM ;) Pfsense for sure has place in enteprise setups - but to think it should be able to do the job of multiple specialized pieces of hardware/software is not realistic..
As an MSP, we strictly deal with the SMB market so consolidation and price are important. Right now if we need UTM we use SonicWall. We don't love them but they work fine once we get them up and running. You are right that in large companies and enterprises with their own staff and budgets they can get the right tool for the right job. It's the same with servers. Put one in place for each function and don't rely on 1 box to do everything.
The Juniper SRX does appear to have UTM and IDS licensing so it does do threat management. According to the UTM information it does Antispam, Content Filtering, Antivirus (a couple of options), and Web Filtering. The Cisco ISR has UTM as well.
That's why I'm trying to get people's take on this. Where do we see pfSense fitting in and comparing to? I have an APU2D4 with Suricata running all community rules enabled, Squid with Clam integration, and squidGuard all running. That little $250 box can push 350mbps on a speedtest with everything juiced up. The SonicWall TZ400 does 300mbps (full UTM) and is close to $3K with 3 years of licensing which they list as good for up to 75 users. The Juniper SRX340 does only 250mbps with full IPS on and it costs close to $4.5K with 3 years of licensing. I can't even figure out how to price the Cisco ISR models. By comparison, the NetGate SG-8860 would appear to probably do 1gbps with full testing (I don't have one. Just extrapolating) and is only $1100. Add in the Snort Pro rules for ($400/yr * 3 years = $1,200) and you're out $2,300 for a unit that appears to compare favorably with the SRX345 that would run over $7K. Want to jump over the 1gbps mark? Just move on up to the XG-2758 for a few hundred more to get 10gbps ports.
It appears to compare even more favorably if you take out the UTM stuff and just use the router/firewall. That XG-2758 is under $2k and can push 16 million connections. The Juniper SRX 345 shows it can only do 512 thousand concurrent sessions. It feels like the only thing missing is the central management to control all routers across the enterprise unless I just haven't seen it.
Personally, I use my little APU2D4 boxes against SonicWall TZ400s since they are the only real competitor I've found at the price point my clients are looking at. UTM may not be as protective but it checks all the boxes and I can deliver it at a fraction of the cost with 3 years of warranty and support.
I don't want this to sound like a marketing pitch at all but as an MSP with SMB clients, I'm honestly trying to see where people find pfSense fitting in. Companies like Juniper and Cisco don't really even try to hit competitive price points at this level. I could get an SRX 320 for $2,500 with all the licensing and support for 3 years, but they are limited to 100mbps. Our clients usually have cable at 300mbps so something like that just doesn't work. pfSense is a lot more powerful and easier to use than Cisco ASA boxes and SonicWall TZ units. Where do other people see the comparisons?
-
for UTM maybe checkout untangle ? It has zeblo for web filter I believe fortinet also uses zeblo
-
for UTM maybe checkout untangle ? It has zeblo for web filter I believe fortinet also uses zeblo
Thanks. We used IPCop long ago, then Untangle, and now pfSense. I'm trying to get a sense of how it compares to established companies.
