2023 Firewall Features Compared: pfsense | Arista | UniFi | Sophos | Fortinet | Meraki & What We Use

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

foreign [Music] systems and let's dive into the topic of talking about different firewall options and this is going to have a lot of qualifiers around it this is April of 2023 when I'm making this list these are the firewalls on this list at least that I have direct experience or at least some indirect experience through friends with and that's one of the big qualifiers is it's impractical and hard to try to list all the popular firewalls and that's going to be the controversial one as I learned on Twitter when I posted some of these questions of people want me to review their favorite firewall and if it's your favorite firewall keep using it if it's happy if it's secure and it works well for you I don't have any reason to tell you not to use those I wanted to offer some knowledge on the what we use and the qualifying list here comes down to things we use a lot of course PF sense being that list and things that some of my trusted I.T friends that we work closely with do use as well now a little background on myself here we are in IT services company and a managed services company as in we are outside i t for other businesses we manage about 50 PF senses in different businesses that we also do Consulting with those businesses some of those have internal I.T teams now expanded from that we also have co-managed it we do as in they have an internal I.T department but Farm out some of the work to us and we have a lot of those clients using things like 48 not that we're managing near 48 but we know they manage your 48 we're usually they're managing let's say their servers or some virtualization or some storage so I have interaction with a lot of these firewalls that are on the list here with the exception of a little bit of Meraki I have less interaction with them and the same thing with the 48 it's less interaction but worth listing on there because I had my friend Jason Slagle go over the list and say yeah we definitely use these we like them you've seen them on the channel before and then I also had Christian Lumpa and I have a few other it friends that really like the sofo system so I threw it on there but I just don't work with those a lot but at least for a compare person List have it on there and people who are familiar with my channel know my bias towards PF sense because it's a very popular solution one thing I will say right off the bat here though when it comes to PF sense I listed it as just PF sense but yes there's two versions PF sense and pfSense plus PSN CE I should say which is community Edition the open source version PSS plus is basically that same version with a few extra add-ons on there and this is a topic that you know people say well aren't you now talking about possense but closed Source if you look they're kind of developed in tandem but they do release the PF sense plus additions first uh that is just the way they do things PF sense the netgate people behind it are big at supporting Upstream BSD they rate some of the drivers and do a lot of the Integrations they have wonderful documentation that's one of the reasons I've been such a long time user of pfSense but without you know getting too far into it I will mention open sense is not on the list because I just don't interact with it from a business standpoint I don't have any problem though if you would like to use opensense this is where the Twitter controversies by me not having it on there people seem to assume that I have some dislike for it I just don't use it it does have more frequent updates but they're both actively developed projects PF sense the 2.7 CE which is close to final release is based on FreeBSD 14. I believe open sense is on freebsd13 but both of those are current and if you go to pfn PSNS plus that is currently on a 14 that's current as well so there are updates to it they're just less frequently open sensing is be really popular in the home lab world because it has like more packages and I get that but from a business management standpoint and that's where a lot of my experience comes from is using these in businesses not just testing in a lab so the real world usage I just don't run into the open sense as much and having to manage something that has a lot of updates can be challenging now it is my understanding lightly and I looked a little bit there's a business version open sense which has a slightly different path with a few extra features but I've never used it and I didn't want to buy a license just to test something because that testing would be still once again in the lab I don't have time to tear down large infrastructure we have site to site vpns Etc and see how opensense performs so if you want to use it keep going if you're happy with it keep using it my preference is for PF sense and let's dive into the details of the list list I have over here we got pfSense Arista untangle so Arista bought on Tangle and they've continued on with the product I believe they renamed it Arista Edge but I still see untangle in a few places I think that branding is still there though if you look for my old videos You'll see on Tango maybe I'll do an updated video on it at some point uh since it's been bought but they still have been maintaining the project it's still a popular firewall and I have some friends that are gold Partners in it we don't have that many clients on it but we have a few and it seems to work well and it's very trouble free USG uxg and the udm pro udm pro SC I group these together separately as opposed to just calling it unify because these have very different functionalities and even udm pro and pro SC there's some differences there and you can probably throw in the unified dream wall on there to be more like a pro SC the unifieds are really popular in the market but there's definitely some shortcomings we'll be talking about there 48 sofos and Meraki you can't ignore meraki's presence especially in the IT services market so I threw them on here's a list I also can't ignore the controversies around Meraki not just the pricing but occasionally Meraki going around people I've got links that are in the description if you want to dive into some of that and contacting customers directly is the going around is in you have to be a reseller to get Meraki and then if they contact your customers directly to catch you out not the first time I've heard of Meraki doing it but it recently happened again so I didn't want to ignore or pretend the controversy doesn't happen with them next is the features here can run on your own Hardware with pfSense it's a yes arrest on Tangle yes and no no here you're only going to run it on the unify Hardware where you're running unified equipment 48 same thing you don't get to just load it up as a device you're going to have to use the 4K Hardware so far so it's a software-based firewall they do have appliances just like PF sense does so yes you can load it up yourself or virtualize it which is the next category mrock is a no on both of those the virtualize I've virtualized PF sense mostly for lab use but you can use it in production I'm partial to using direct Hardware but let's an option same thing with the Arista I'm partial to using Hardware but yes it can be virtualized you're tied to the hardware when it comes to the unify line and the 48 I put yes but a link to how they do virtualization that way you have that information available to you for the page they have already talked about virtualized ones and Christian Lumpa has a video on sofos and virtualizing sofos sensual Management's a big thing that comes up when you're doing this from a business standpoint not just a home user and PSS doesn't have anything natively they offer our solution to this is have our clients be of census BPM back to us this allows us to get to their web interfaces but not create any tunnels between them so there's no lateral movement that can happen from a security standpoint this is what scares me is some of the third party ones out there where people say let's just put SSH keys in so we can have one central place to automatically manage it you're also creating one central place where someone could Mass change firewalls without a second level of authentication depending on how that's done so something to take in consideration there's nothing official from neck Aid on this the one from Arista does work in a way where it just creates a tunnel back essentially like a proxy where it just brings you to the login page of each device and gives you the status of those devices so there's Central management it's nice unify if you have the USG uxg via their controller the unified controller acts as the central management for multi-sites on air it's a multi-tenant controller so you can have many clients in here if you want yes via the you UI site so each one of the Dream Machines has or even the dream wall they run the unified controller software within it and then you can tie it to unify's portal which just brings you to the page on there through Central management through the unify system so they do have a way of handling that 48 has their Central management system Sophos does and so does Meraki web interfaces yes for PSN tingle via the UniFi controller even though it's built into the dream machine series it's still the unified controller software running with inside of it so you're not exactly interacting with a firewall natively you do it through the unify software 48 yes has a system so does Sophos and Meraki is pretty much via their site there's very basic things you can do on a Meraki you don't really can do any advanced configurations I think it just has some troubleshooting things you can do when you get to the web interface of a Meraki firewall it's designed really to be managed to their site licensing fees pfSense comes in Community Edition and plus the Community Edition is free the open source Edition the plus Edition can be registered for free for home users and lab use so there's not actually any license fees but you can also buy support packages if you want when you're running it on your own Hardware if you're by netgate Hardware there's no license fee hence a little asterisk there so if you buy any of the Nike appliances you get the PSS plus Edition and a limited amount of support and there's no license fees ever it's perpetual there's no renewals on this Arista they're a little bit more mixed that's why I said some features this is a link that takes you to a comparison chart to what you get for free versus what requires extra licensing paid licensing versus just free registration because you do have to do some registration if you want to use the untangle it's not just download and go there's I believe a registration page you have to set up on there no license or registration is tied to the hardware technically to make any of the firewall functions work 48 yes they definitely have licenses uh Sophos has a free for home Edition and Meraki is not just licensed they're licensed and I believe it just stops working when there's no licenses uh they're they don't have no home or free edition that I'm aware of maybe they do but I didn't see it when I was looking they do have some basic models and you can get some like special reseller extra licenses I think once you are a registered reseller but I'm not going to get too off topic on now operating systems psense is going to be based on FreeBSD currently FreeBSD 14. then we have Linux and I put Linux on all these but technically they're very custom versions of Linux they're not like Linux and then they loaded some piece of software on top to make up a firewall but they are at least Linux based at the underlying OS supports High availability yes and yes on the Arista and on the PF sense knowing no on either model of these I know it's been in the coming in the future but I don't know when that feature is maybe you're watching it when they actually release this but that's not a feature that they offer is a full ha or one firewall can fail over to another uh yes on these ones here bgp ospf there's actually quite a bit of features around this with the PF senses and as one of the packages they have to control this but this is where sometimes you may have a little bit of a Nuance there you have this in pf sense you have this in Arista it's limited what you can do in Meraki I forget what the limitations are you have to do some digging to figure out because it made changes from model to model as I was told um 48 yes and Sophos is a yes but this is where you can start to say okay but does it do the exact way I want it to or the full features that was where we'll say yes it has it but the details are going to be dig into it if you have a bgp use case dig into it first sd-wan there is no sd-wan option for PSN so wrist on Tangle has an sd-wan option that integrates into untangle nothing I'm aware of for the unify line 48 has their own integration with their firewall sd-wan options so it's a sofos and so does Meraki openvpn pfSense uses normal openvpn it's interoperable with standard openvpn clients and for the most part untangle is as well a wrist untangle can do openvpn they have uh I've done videos on this where I've talked about their implementation I actually like that yes they actually have the full version of openvpn that you can use a rolling totpn versus it's done differently in pf sense so Nuance kind of matters to some people of if you're using a totp authentication with those they implement it differently but it is at least still open VPN very basic openvpn and it seems to be that they've included more openvpn I've not done a lot of testing on here uh and it's only EA if you use the pro this is where unify can be very tricky to do this because unify themselves do not list nice charts for features across their firewalls that are easily found and even Cody from actual cop Network she does a lot of videos on here me and Cody were talking and as Cody said you just have to take and read the notes for each version released and see what applies to your firewall and he's not wrong unified does not do a great job of nuance to figure out what features are supported and right now it's only on the EA as of April 1st of 2023 when I did my testing on this 48 does not have openvpn in there sofos has a their own custom implementation of it and Rocky does not either ipsec yes that is a paid feature on Arista so that's back to the licensing piece you can only get it with the paid version yes they both have ipsec on the unified line 48 all the way across ip6 pretty popular wireguard yes on PF sense paid on Harissa tangle no but yes but yes but is the way I'd put it on here um their wire guard impotations a little bit confusing uh and I think it's also on their normal implementation they have their teleport version of it which is designed to tie to phones but it's a little confusing um and I don't it's not they're getting towards I know at some point when they hit full release here it's supposed to be like a more normal wire guard implementation so make sure it fits your use case if you're looking into one of these and you have a desire to use wireguard a 48 does not neither does sofas or Meraki l2tp once again paid feature they do have this on the unifies please note there are certain limitations with L2 uh TP is why it's not the most popular VPN but it is I should say not the most popular it's a popular VPN but can cause challenges when you have two users behind the same IP address this is something that where you try to get a couple people vpned in you'll go wait there's some conflicts lctp doesn't like when people come from the same IP address that is a problem you run into with home users especially if they're in the same area provided by CG nap for example you can break things this is one that is a yes only for pfSense and someone may think I'm biased for putting on there but there's no denying tail scales popularity it has grown immensely I know zero tier is kind of a competing product that's I could have listed on here but it would just be no across the boards here shares not in any of these but tailscale with a lot of commercial backers and a really good product has become really popular I love that they integrated into pfSense that's actually my PF sense shows that I know there's been request us Center's third party ways to get zero tier and PF sense but nonetheless I've done videos on both zero Theory and tailscale I think they're both great Solutions it's just nice and I wanted to throw it out there that yes they are integrated in here intrusion detection intrusion prevention systems with pfSense this is going to be a manual process you can load circuit or snort you can turn on all the rules you can get some false positives you're going to have to do some investigating how that goes for you this is something I've done a video on for tuning terracotta but just so you know it's not like just set and forget it it just works and it's very automated with everything like the rule updates are automated you can buy Pro rules and put them in there but it's still kind of on you to determine the threat investigation they've filtered the rules a little bit differently when you get them from wrist on tingle so there's this I would say a little bit smoother because it's part of the feed you're getting from Arista but there still can be some false positives depending on rule settings on there it's very basic inside the unify and USG Series so they have it but it's kind of basic also some people I'm a little fuzzy on exactly what speed penalties there are for turning it on this is going to vary provided based on the hardware you have with both of these ones here because you're providing Hardware 48 will have is Will Meraki specs on turning it on and what the Ethereal put would be with those features and so first once again if you're running on your own Hardware or if you buy the sofos boxes you know you're going to get varied amounts of speed hitting on that so worth noting I put content filtering and this is where people tell me but yes it does have it I would not use it we do not plan on using it or this is why I don't do videos on how to set up squid or anything like that I think it's a headache I think it's complicated to manage I don't find it simple it always seems to have lots of bugs in it and requires too much management time so we just don't use it we use endpoint filtering for those of you wondering a tool called xeros got a video on my channel for zorus untangle does a pretty good job of it they can do basic DPI or full SSL inspection but when it gets over here to like the USG they're just doing DPI no SSL so there's no certificates to stall they do basic DPI inspection and that's about it the 40 gate sofos and Rocky all have where they can do more advanced levels of it uh they can get deeper into some of the application Level filtering for example PF blocker is probably really popular because you can use things like pie hole feeds into it you can still run a pie hole with pfSense or any of these firewalls if you want but with PA blocker you can choose the feeds you can have it all in one device I don't think there's anything wrong with pie hole project but out of convenience if that's something you want to run having that built in is nice there's some DNS level filtering you can do in there it's really basic what DNS filtering you can do in the USG udm Pro 48 sofo so have it but I don't think you can put your own custom feeds in any of these models that I'm aware of could be wrong about that I didn't put an asterisk on it but I know they have a level DNS filtering I just don't know if you can do custom feeds you can do custom lists like you put things in there but not the same as putting like a feed an active feed like you can in pf blocker goip traffic filtering that is also facilitated through PF blocker it's a feature in there there's a beta feature for this in the unify line then we have 48 yes yes and so far so I'll have option traffic shaping traffic shaping there is a lot of advanced options inside of PF sense for this same thing with the rest untangle it's more of a basic on or off in the unit by line they don't have I don't believe any type of granular control maybe in future it'll have something better on that I but I would list it as there but basic uh 48 Sophos Meraki all have this multi-wan support always weird that this is a paid version of our sun tangle needed for this but hey if you want to use dual Wan and do different load balancing between them that is a paid option for them of course in pf sense I got videos on this it's uh hard to put this without just an asterisk it's very basic the control levels you have over the USG and the udm series on this I wouldn't call it wonderful I would call it usable but you know uh they've gotten a little bit better over time with it but it's still not as granular controlled as you have in like PF sense or even the other firewalls like 48 sofos and Meraki SNMP monitoring yes across the board that can be turned on all of them active directory integration yes radius or ldap paid feature here they actually have a really nice integrator for this and the reason you have active directory integration is usually going to be because you want to take your VPN authentication and your active directory users and pair those up so you're not managing separate lists uh via radius both with the unify line and yes integration over here policy routing lots of policy routing options very Advanced ones within your PF sense yes within the entangle yes within the USG um but this is where it gets funny in specifically like wireguard last I checked there was still no ability to do wireguard policy routing which is uh kind of could be a challenge if you're trying to set up a wire guard site to site and you're like well I can't do a policy route for that for a site to say um so once again you got to dive into the details of it but for ipsec for example they do offer the ability to do policy routing with some of the ipsec on there with 48 and Sophos they have it and I didn't put no wire guard here because well wire guard isn't supported on the uxg so it's just yes but back over here to firewall rule policies based on active directory this is a fairly Advanced feature but enough people asked on Twitter that said throw it on there there's no way I'm aware of doing this at all in pfSense so if that's you know you have ad objects and you have users and you want to apply based on the user based on some level authentication a firewall rule policy based on that active directory object I don't have any way to do that and untangle but you can do that in the Arista no integration with USD but the rest of them do have this feature as well 48 sofos from Rocky ATA proxy I bring this up not to say that PF sensors cool it has it but also it actually is used very popular especially not just Homeland people but there's sometimes services that you don't want to have to deal with certificates for you can do this with the let's encrypt certificates which are listed below Thai teaching proxy use it locally so you're not exposing it to the world but you can if you want I've done videos on this using this to have different local Services managed without any certificates uh errors throughout a internal Network ATA proxy is a really convenient way to do that so I definitely think it's worth having in there obviously it says no across the board with an interesting exception uh thanks Christian Lumpa for pointing us out that there's a web application type firewall so there's extra levels of traffic inspection you can do with their built-in web location firewall for services coming from the external going through their WAFF to come in there technically I see no 148 and someone may see but Tom 48 sells a product that does that yeah it's just not their firewall um it will integrate with it so I almost put no asterisks but just so you know firewall uh the firewall does not natively have something built in but yes you can buy another service from Meraki and technically in Rocky's owned by Cisco and there's other services you could buy to put in front of it but we're trying to keep this at least somewhat scoped let's encrypt certificates no I don't think there's any way I seem to do them in the aristent angle if someone has a document I overlooked let me know um but without the proxy here I don't know if that really matters and USG nothing in there and matter of fact I don't even know why UniFi has never integrated the controller software either into let's encrypt it seems like it would be really good to do I believe they even sponsor some of the let's encrypt things maybe there's a future roadmap or that is well integrated I I hope so but today um that's not in there before you can do this for the firewall I didn't see an ability to do it for anything else and no on the sopos or the Meraki for those ship kits but the biggest reason you want to use them is usually going to be for ha proxy so I kind of tied those things next to each other together captive portal might be another reason to use less encrypt certificates but yes you can do this with pfSense you can do Arista the unify controller software does the portal so whether you have that software running on a udm pro or as a separate service on a cloud key or something self-hosted it's going to the controller technically not the fire also I made that note in there 48 yes sofas yes from Rocky yes traffic monitoring and Reporting I really like end top NG it's great it gives you a lot of great details on there it's not a bad tool it's not going to be as advanced as I think the Arista might have a little bit better but this is also where you can get to be splitting hairs for what you really want how granulars need to be is it adequate or do you want something that gives you like this user went to this website and summary reports the Arista reports are nice for that unify and the lack of good time slicing means yes it gives you information but it's a little bit harder to digest so I'll put that on there that has it the graphs look really well presented but the granularity of them not being good makes them a little bit harder to read but they it's checking the box that it has them 48 sofos from Rocky all are yes now one thing missing from that features list was VLAN support the answer is yes across the board so I added it to the list so if you click that chart you're going to have it on that list next I'm just here to provide some data points I'm not here to be your decision point I'm not saying these are the only firewalls you can use or you must use pfSense because I have a lot of videos on It ultimately I just wanted to provide some insight to things we've done things we've worked with things some of my friends have worked with and as I said Christian Lumpa really likes sophosexg I have a few I.T major friends that really like it and so I include it on the list even though I don't directly use it but hey he's got a video on it so you can dive into it and I know he said he's creating some more videos on it as a topic so depending on the future when you're watching this there may be more videos linked uh over to his channel on that unify is one more I'll bring up because I think unify is a good moving Target for improvement they keep getting better they've somewhat invalidated my video about the weird way unified does vpns because they're getting better proper VPN support and maybe uh we're watching this video or you're watching this video in the future where unifies made a nice chart so I don't have to chase down like release notes to figure out if they're implementing the VPN in a normal way or they've tied it to some other service like uid to be able to get it to work as I said I'm hoping in the future they just do it normal and make a nice chart so we understand what support on which products exist but nonetheless that can make unify a little bit challenging for routing I think they work great like just for basic routing functions but the VPN is awesome where people get hung up hoping it will do something and finding out unified has done it slightly different this is always that Nuance challenge you have with any of these firewalls is having support for a feature versus how they implemented and how easy that feature to use can be uh varying a bit nonetheless I love hearing from you leave your thoughts and comments down below as to which firewalls you like which one's your favorite so I'm always curious what else is in the market I try to keep an open mind looking at different things how to run my forms for a more in-depth discussion on this topic or anyway anytime you want to engage with me and thanks thanks [Music] foreign [Music] foreign

Info

Channel: Lawrence Systems

Views: 127,351

Rating: undefined out of 5

Keywords: LawrenceSystems, firewall review, firewall review 2022, firewall review policy, firewall review tool, firewall review process, untangle firewall review, firewall rules review, pfsense firewall, pfsense router, pfsense tutorial, ubiquiti networks, network security, pfsense vlan, pfsense (software)

Id: 0bTjibLYSOo

Channel Id: undefined

Length: 26min 23sec (1583 seconds)

Published: Sat Apr 01 2023