Netgate / pfSense+ versus WatchGuard or Palo Alto
-
Our two WatchGuard M200 units are coming up for renewal/replacement this summer. I would love to replace them with Netgate products and support, however our IT vendor prefers to either stick with WatchGuard or migrate to Palo Alto. I have nixed Meraki from the short list based on experience with their 'no traffic passed once license expires' model.
Our setup is a 100/100 f/o internet circuit and a 100/100 backup wireless internet circuit. Currently have ~17 users, most of which use OpenVPN to remote into our LAN with a handful of people in the office each day. Our M200s can only push ~25mb over OpenVPN (sad). So not a lot of bandwidth to deal with, mainly VPN traffic and potential for traffic inspection (see below).
I'm very comfortable with pfSense (user since the m0n0wall days) but would appreciate a bit of sales support/comparison in regards to some of the subscription based features we get from Watchguard as I think this would help assuage fears from our IT vendor, and to a lesser extent, me.
If the thinking is that Netgate and Watchguard are apples and oranges that is fair feedback as well. Are these subscription features even relevant anymore with the prevalence of SSL / HTTPS etc? Appreciate any thoughts.
WG Feature / pfSense equivalent feature or package / provider subscription cost?
.......................
Botnet Detection (unsure exactly what the WG is doing here) / ?? / ??
Gateway AV (HTTP only?) / Squid + Clam AV / ??
IDS IPS / Snort or Suricata / Snort @ $400 per yr, Suricata ??
Reputation Enabled Defense and GeoIP/ pfBlockerNG? / MaxMind @ $288 per year, others?
WebBlocker / pfBlocker NG DNSBL or Cisco Umbrella (we already use) / no addl cost