Migrating from Fortigate
-
Good day,
we are actually running a Fortigate 200D since 2014, and for me, it's time to upgrade. As I upgraded (3 years ago) all my sites from Fortigate 60 to sg-2220, i'm now looking to upgrade my head office to a netgate appliance. It host our main office and my server farm for the business
There is a description of what I have/use:
-100mbits connection (will upgrade to 500mbits or 1gb eventually)
-3 lan side port (one web server available from the net, one for my lan, and one for a public network)
-9 IPSec VPN (with 12 phase 2 each)
-Few users connecting through SSL-VPN
-Few external IP's routed to internal services
-Using QoS for VoIP over all the tunnels for the business
-I actually have about 60 rules in my firewall
-AV is inspecting smtp mails coming in
-Web Filter blocking few categories (adult mainly)
-I do not use IPS but it should be a good thing to useIn a normal day, I have around 3000 sessions, with +-30 new per seconds. There is always a ~10mbits of traffic
I'm also logging a few days of trafficI was looking the XG-7100 and the XG-1537.
I would need some advice.
Thanks a lot
-
With that many IPSec tunnels and potentially a 1Gbps connection I would choose the XG-1537 to give the most throughput possible. At 100Mbps the XG-7100 would be fine.
The VPN requirement is the limitation there, what throughput would you need?
Steve
-
Hi,
i say eventually, but not for the next year or 2.. i will get to 300 or 500 first..
The throughput for the VPN tunnel's.. it's around 10-15 mbits per tunnels.. (max).. sometime one get to 30-50.. but for a few minutes only.
-
Ah, OK well you should be fine with the XG-7100 for (30 x 9) 270Mbps IPSec as long as the route conditions allow it.
The only other thing to note there is that pfSense does not include a mail filter/proxy so it's not possible to block spam/malware in email in the firewall.
Steve
-
Should be fine for a while with what I mention I want to do (300-500mbits, ipsec, ips..) ?
-
Yes, I would not expect any issues at <500Mbps.
Steve
-
Ok for the XG-7100.. should I have store or memory ?
What will be the advantage of doing so ?
-
If you're planing to use Squid for wen caching and Snort as IDS the additional RAM and storage would eliminate any concerns. Both can use a lot. Snort in particular can use a lot of RAM.
It's certainly possible to run both in the default config though. You would just have to watch the RAM use and tune it if it gets too high.Steve
-
So to be save, 24gb ram and 256gb m2 ?
-
An XG-7100 with that specification will no problem at 500Mbps running with Snort.
Re-reading this though I see you have stated:
In a normal day, I have around 3000 sessions
What exactly do you mean by that? 3000 connections? 3000 clients?
Thousands of clients behind Squid can be an issue.
Steve
-
no. there is about 50 client behind the firewall (at the main office) and about 10-15 externally connecting by vpn/ipsec
By sessions, i mean: (from my fortigate)
I wont run squid.. but just snort (dhcp,dns etc etc)
-
Ah, that should be no problem, with or without Squid.
Steve
-
Thanks a lot!
just placed an order for:
XG-7100 1U pfSense
Security Gateway Appliance
Crucial 16GB DDR4 SODIMM Additional Memory = 24GB Total
256GB M.2 SATA SSD -
@froussy What Crucial memory did you buy and how did it work out? Did you get the SATA ssd from crucial also?
