Prepurchase Question
-
There are a bunch of improvements coming for arm7. Suricata 5 is in 21.09 already. More to come.
Steve
-
@bmeeks said in Prepurchase Question:
issues with Snort and Suricata on SG-3100 appliances have apparently been solved
Ooh, fantastic…yay all involved.
-
Thanks for all the replies. It sounds like if I want to use Suricata, I really need the 5100. I would have to decide if that's something I want to manage on an on going basis for people should I decide to move forward with the hardware after testing.
If it will at least run on the 2100, I could always use that for testing to save the $400 and then deploy the 5100 for clients.
I'm seeing people mention pfSense+. Doesn't all Netgate hardware include pfSense+, or is that an additional charge I'm not seeing? My understanding was that there were no reoccurring subscription fees like there is for Sonicwall and Barracuda?
Thanks again for the help!
-
Hi, for further info about plus and ce please read the netgate blog post about that topic, as far as I know plus is included on netgate hardware, and noni will not talk or consult about that move from netgate. Don't get me wrong but it's pretty frustrating and annoying.
If you r running a company gnat least with the 5100 you need to test and try things on real metal not testing on the clients machine we r still talking about firewalls not some fancy rgb lighted pc
Just my 2 cents
Br NP
-
@spyderturbo007 said in Prepurchase Question:
Doesn't all Netgate hardware include pfSense+, or is that an additional charge I'm not seeing?
Yes, all hardware we sell comes with Plus.
No, there is no additional fee or ongoing charge for that.Steve
-
@noplan said in Prepurchase Question:
If you r running a company gnat least with the 5100 you need to test and try things on real metal not testing on the clients machine we r still talking about firewalls not some fancy rgb lighted pc
Just my 2 cents
Br NP
I'm not going to be testing with clients, which is why I started this thread in the first place. I want to test the pfsense functionality before deciding if I want to offer it as a solution.
My point was that if the 2100 will at least handle both Suricata and pfblocker, then it will serve the purpose for testing and save me $400. I would obviously size the hardware to the clients when deploying the product. But for my testing purposes, I don't really care if I'm getting slower than normal bandwidth through the device.
@stephenw10 since it appears as though you work for Netgate, can you comment on the choice of hardware for testing? There seems to be some conflicting opinions on the 2100 and then 3100 appears to have underlying hardware incompatibility issues.
I don't want to drop the $700 on a test device if I don't have to. Thanks!
-
@spyderturbo007 said in Prepurchase Question:
if I want to use Suricata, I really need the 5100
We have set up Suricata on all the 3100s we put in at clients. To be clear Suricata v4 runs just fine on a 3100, and if 21.09 will allow the later versions of Suricata, and Snort, to work that eliminates much of my concern for the future.
pfSense Plus is currently only on Netgate hardware, like the previous Factory Edition. At the moment they're very similar, and honestly I couldn't tell you the differences other than it works on ARM hardware and AWS/Azure. They have said they intend to offer it for third party hardware at some point...that announcement said June, but it has stretched to sometime this year.
Also note the 6100 was recently released and is the same price as the 5100.
-
@spyderturbo007 said in Prepurchase Question:
I don't want to drop the $700 on a test device if I don't have to. Thanks!
If you are just testing having never used pfSense before the first thing I would do is spin up the CE ISO in a VM.
To test hardware on a 400Mbps connection both the SG-2100 and SG-3100 will pass that fine.
When you add Snort/Suricata into the mix it becomes much harder to give a definitive answer because it can vary wildly with the number of rulesets you have loaded and scanning mode config you're using.
The 2100 will pass 500-600Mbps of firewall and NAT. The SG-3100 will pass 850-940Mbps. Packet size, latency, line conditions dependent etc...
Running Snort/Suricata will reduce that.Steve
-
@noplan It's pretty simple. With CE you get 99% of pfSense+ functionality, and the vast majority of users would have no use for the differences. When you support them by buying their hardware, you get some small bonuses like a few extra niche packages and priority updates & releases.
-
@kom said in Prepurchase Question:
@noplan It's pretty simple. With CE you get 99% of pfSense+ functionality, and the vast majority of users would have no use for the differences. When you support them by buying their hardware, you get some small bonuses like a few extra niche packages and priority updates & releases.
Yeah I personally see a different story commin round the corner....
Let's see -
@noplan Their approach isn't really any different for other projects like TrueNAS, for example. Everyone can use most of it for free, but people who help support them get some extras.
-
Hey folks we are still talking about a 4GB RAM box. (Sg2100)
And don't get me wrong... usin pfB and suricata will get you soon into burning Swap
when u put the pedal to the metalPfb on 2.5.2 is consuming less RAM than on 2.4 with the same lists for starters
But both systems (suricata and pfb) on a 4GB RAM with a full grown and used LAN behind is a f@#&* pain on 4GB RAM
-
@bmeeks said in Prepurchase Question:
Suricata on SG-3100 appliances have apparently been solved
In fact I did two upgrades to 21.05.01 on 3100s today and they both offered the suricata package (package 6.x, Suricata 5.x), not the suricata4 package.
