Untangle Firewall Review

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so we're gonna talk today about untangle firewall and a lot of people have asked me because I've done so many firewall reviews and you know I'm obviously a big advocate of pfSense because I really like open source firewalls but there are times when you need something that does full web filtering is turnkey as easy to use is a good solution and I've looked at a handful of woman I immediately got agitated with them and then untangle came up but I've talked to a handful of my tech friends who have deployed a lot of these my one friend had commented he's deployed almost I think he said a thousand of them overall over the years she's been using it for a long time so I've got a lot of people a lot of feedback from more than one of my well respected tech friends who say yes this is a very solid product so we did some testing with it and I absolutely agree with him this was a really good product now first because someone's overusing us but what about how does it compare to and this is a little bit difficult I wish I had all the time in a world to spend digging into every single firewall and do a head-to-head firewall video if anyone wants to throw enough money at me more than happy to do it but obviously that takes a lot to really dive deep into a firewall now the thing I will cover is first it's not free it's not an open source firewall solution and we're gonna talk about pricing real quick because that's where a lot of people may get turned off that they were always looking for the ultimate free solution sorry this isn't free good web filtering takes a good security team we've got knocked team to understand the threats on the web to compile the resources together and to deliver that to a firewall as a feed so your threat management stays up-to-date and relevant this is why I'm reviewing this firewall because it does that it does that at a reasonable price and we're gonna talk about price real quick here in a different way so right at the top of the untangle website we have a Buy button and then we have pricing this is amazing if only other companies like 40 net with their 40 care contact support call us Sophos get price and get a quote Cisco Meraki get a quote after you check some boxes and get an idea of their pricing but don't really tell you yeah we're still back here we don't know all these companies think they're hiding pricing I don't understand this this is something that drives me nuts just tell me the price of the thing without having to talk to a person fill out a form and get on your mailing list literally I'm right here on tingles website and we can figure out our pricing bottle now I kind of like the pricing model then this is an important distinction I want to get clear they have a firewall that is free but the add-on features cost money you get a 14-day trial for full-blown all the features the web filtering the content filtering the threat management and the feeds that come with it but this is my favorite part if you choose not to renew your license because you want one previously or you let your 14 day trial expire the firewall doesn't turn off it is not like Cisco Meraki where it turns into a pumpkin at midnight when you didn't pay the license and it keeps functioning without those extra feeds so you really do get a good firewall solution that if you decide you don't need those extra features you can not have to rip it out you can keep it in place this is just a better business model to me going hey these things cost money these are the things our team works on keeping this firewall up to dates a lot of work for these threat management so yes that does cost money now what's even better is the fact that I don't have to talk to anyone to get pricing and I can go here and choose how many license devices not users I've made the mistake of saying that what I did talk to the sales rep people which are really nice they're super easy people to talk to they actually have a really we're working on becoming a partner because we want to start reselling these untangles as some solutions to clients that need that extra layer of protection with the UTM and we've seen them deployed before we've seen them where clients have bought them themselves and that's also another thing where we do is we work with a lot of other IT companies on special projects then we've seen untangle at the head end and I hope this thing works great they really seem to like it as well their device licensing you figure out this if you have some weird custom solution you can talk to a sales rep and work things out with them through partner networks and distributor networks but if you just want to buy direct and you have a small office or even a to 1,000 person office they have pricing out here that's pretty clear the cool thing is this is the ng firewall complete I won't get into some of the other deals but they do we have a big discount for nonprofits and public sector but the home one for home users this is really a great deal for home users oh go you know what I really want to turn key easy system to do some filtering and I don't want to have to pay a whole ton of money well you know 50 bucks a year is a great deal for home users who are looking for a firewall that's intuitive easy to use and will filter out things that you may not want your kids getting to by the way kids are really smart they're gonna figure out ways around the firewall but this is a layer at least a extra barrier you put some effort into trying to stop them from getting online it all depends how tech-savvy your kids are and how tech-savvy you are so I just want to cover the pricing get it out of the way because a lot of people are gonna ask about this it's nice and clear and online unlike these other companies that call for quote call for quote call for quote that drives me crazy so let's roll back all the way to how do you download it how do you get it well pretty easy ISO CD image download VMware appliance so they do support running in a virtual machine I have now run it at my house for a little while on a physical Hardware box I've run it on a virtual machine here as a test and both of them work perfectly fine I didn't run name issues without doing the demos with this I'm not gonna take you through the whole installer but I'll tell you the installer is fairly straightforward nothing exciting about it was actually real easy to install it walks you through and I got this actually zoomed in too far it walks you through like a standard install that you've seen for most Linux distributions next in the su way through it with the graphical installer let's use a mouse made it easy to install and actually it won't let me rescale this down but I can just press ENTER most of times and it will just go through and set this firewall up a minimum two network cards does support more but like I said the Installer I had no problems installing it both on hardware or any virtual machine I didn't actually download their OVA file but that would work fine as well I'm sure so I'm going to close this and cancel it now I'm bringing you here to my firewall demo of what it looks like install because normally the council's not interesting their councils very interesting Mia move this over here for you so if you plug in to the council itself this is actually what you see in there a firewall with a GUI that's strange as most firewalls are not managed with the GUI they're managed with a web interface well so is this one you have recovery utilities you have a few other options that are what you think is pretty cool but you can actually just it launches a web browser to manage the firewall inside the GUI so you can actually plug in if you built this on a commodity hardware which of course commodity Hardware supported and I didn't cover in the beginning but yes they have appliances they sell so this is either you load it yourself or you can buy one of their pre-configured hardware appliances to run this on so either way you want to run this is fine but the fact that it has a graphical interface that lets you do this from the firewall is actually pretty neat I've not seen that before so I thought that was kind of novel and maybe someone's gonna say but I'm haven't you seen so-and-so yeah I'm sure there's other companies doing it but this one's really nice so we can close the web browser we can shut down reboot I have recover utilities get to the terminal which I think prompts you with a warning this is for advanced people who know how to terminal nice I do you want to run the recovery we're gonna say no but it does have cold recovery reboot services but the web interface inside of here looks the same as it does when you log in so let's start digging into the web interface a little bit and we're gonna do it a little different here so untangle being targeted at the commercial market we're gonna go ahead and sign in here now I'm going to block out some IP addresses on here for my office and things like that but what you're seeing is the dashboard so you can see all of your appliances in one dashboard we have only two registered here because we just set this up and this dashboard comes with your account and what this installs you do if you're an MSP like we are you can deploy these and then have them all in one dashboard so you can get an idea of what's going out with them and then from here we can manage them now what happens is when you're setting up on tangle a task if you have a registered on tango account you can either create one or sign in to yours each one of these that you sign into you this all can be blocked if you don't want any remote access to your untangle via this dashboard you can't shut all this off really easily you actually implicitly have to turn it on because by signing in to your account if you don't sign in to your account yes you can keep using untangle but you're not gonna be able to license it because the licensing works through this but you can sort license it through this and still block access to the dashboard if you still wanted to the nice thing is this dashboard means I don't have to open up any ports for management it keeps a secure proxy connection via the untangle dashboard so we've looked at this how it works it's really clever it's a really nice system so let's actually get into managing untangle so I've zoomed in specifically to the one running at my house it's got some appliance warnings because there's only two days left of my trial we've been using this at home because I wanted to gather a lot of stats on it it's too much work to switch our entire work environment over to this so it leaks it I just did some testing at home so I can kind of get an idea what works what blocks and things like that which they have all these reporting and tools and maybe one day I'll get in more into the dashboard depending on the interest level in this video but I will show you now untangle itself and how the reporting looks so we click remote access and a remote access once the firewall password not my untangle password again so I have admin and a password set and now via proxy magic from untangle I'm into that particular firewall logged in directly to the one at my house right now you because progeny takes a second to load all the details and get the data polled and this is the dashboard for untangle and you can see we use the chromecast a whole lot which is not surprising for home games my kids play make up a big part of it but it's one thing I'll say is right off the RIP their reporting is nice it's easy it makes chasing things down pretty simple it also makes adding conditions easy and what I mean by conditions are you can filter this dashboard out to be down to any specific service or IP address which makes it really easy when you're doing things like okay what's causing the problem or what's what's using all this data do you want a host name equals chromecast say yes it's going to take a second and now it starts filtering this and what these are is adding conditions up here on the reporting menu so this is kind of neat the way it sees this now the real magic is in the apps this is the what you get to pay for and once these expire I lose access but the firewall is not going to like I said break at my house only I'll lose certain features so the application control SSL inspector bandwidth control and virus blocker and web filters those are the things that are paid for also when failover when balancer directory connector because this does integrate with Active Directory policy manager where you can write really specific policies on things I'm not going to get too much into that but it's kind of neat branding is kind of cool because you can do some custom logo and branding I believe if you buy the home version I don't know that that's a feature with the home version but I don't think home users care and this is where we're gonna dig into a little bit more about the way this firewall works so all these applications you go here you say install apps and you just choose which things if you want web caching we just go click here and we're gonna do it right now on the spot live here and it's downloading and enabling the web caching feature at my house with that one click it's now installed click on apps alright now that we have the web cache installed let's go ahead and click on the web cache and any app then I'll have the same common interface we can go ahead and click enable I understand the risk clear the cache if it's got there so clear the cache requires restarting the caching engine what will be disrupted well it's pretty cool these apps all have these really simple interfaces to them so actually I'll leave that hunt why not let's look at the other one like the application control same thing slide button and enabled here's the applications and some of the rules and of course than the reports now web filtering versus application control this is where the magic is and what this allows you to do is you can flag tarpit or block each of these applications so we can go through here and go alright we want to get rid of or remove this and take and apply a policy to someone and go alright we want to block social media but a block gaming we just want to go no more 4chan at my house so we just do this you can either tar pit it or block and the difference between tar pit and blocking is explained by the way their documentation at wicked on tango comm is very thorough and nice generally you want tar pit applications that are hard to block me except certain event blocking block will reset TCP connection so the client knows immediately the session has been reset tar pit will acknowledge the receipt of data but not Sun of data so it's silently dropped for blocking web locations and a browser block has you better as tarp it will cause the browser to hang as it waits for data which can cause issues for the user so when you block it it just lets them know right away it's blocked it drops the connection it's using a TCP drop so it's like immediate they go out that connections broken I can't get to whatever that person is not blocked from now this is just nice and this is the thing that a lot of people are looking for with all the different free firewalls that's really hard to do that because of these feeds these feeds are constantly updated in order to assess this this is the secret sauce if you will is not really secret it's a lot of hard work putting these together and understanding that how you can turn it into one click because 4chan doesn't represent just a single website there's a lot of pieces there's a lot of components behind there so blocking it's not as simple as just we put an ad in that century and it's blocked you can't do that but then you always find people who are getting around it and that's where the problems start to come in as people get around you and you're like well why can't I do this it's also a game even with the folks at untangle or any other web filtering company it is a constant battle a cat-and-mouse game of people figure out a way to get around your firewall and this is just a layer of you're trying it at least you put the effort in I'm not a big fan of web blocking we do know web filtering here at my office but it's one of those things that a lot of people do look for and generally speaking the average user is pretty well blocked by these things the advanced user to figures out how to get around VPNs with different SSL tools they're gonna still get around the blocking by the way just making sure it's and this is not the end-all solution that makes your web perfectly safe to use Web Filter works much the same way but it's specifically just for the website so it's more the blunt object and it's got the site lookup so you can see where it falls on the list block sites Pass sites pass client rules advanced so it's the same thing but a little bit more blunt application is at the application level and it's using their heuristics system to understand what those applications are to categorize them web filtering is kind of like it's not just filtering general websites together so it's it's a cool using combination in tandem it works very well now a few other things that are in here night like this is part of the free version the IPSec VPN is part of the paid version of there but the free version comes with Open VPN and tunnel VPN and tell VPN is something a lot of people have asked about and they've made it really easy to do here inside of untangle just like this is your top tunnel VPN provides connectivity through encrypted tunnels to remote VPN and services so we're gonna go ahead and look at tunnels we're gonna click add tunnels select provider now they support customization so you can use specific different companies but they have built in on Nord VPN and expressvpn and private Internet access so a couple popular VPN providers they just let you log in and then tunnel your entire network through this that's pretty awesome the fact that they built this in and made it very turnkey for a lot of people I've done videos on this of how to do this in other firewalls and it's eight not a lot but it's still some setup in steps and things you have to go through and it's why my video was a little bit longer on it cuz I get very detailed on how this works and I like doing it in a very controlled way but it's nice that they have an auto magic way that you just login with your username and password for your open VPN or private Internet access file and away you go and then to go a step further this is some things people have a challenge with this its policy routing and what policy routing does and they have this built in is you can take a condition and force it through either route normally or available only through the tunnel so now you can start creating all the rules right in here to say alright I want and they have a couple example ones that maybe you want to you route all tagged with BitTorrent usage over tunnel because you want your BitTorrent usage to go through one of the VPN providers such as PIAA and then you want your other internet to just go through your name joint standard provider because as some people have noted already who have done full tunneling of their entire network you start having problems with a lot of sites like Netflix and a lot of places block you from coming in from a VPN so if they see that you're operating out of a VPN they may block you in some sites do that for reasons and this way you can still have things like maybe your chromecast connecting directly to Google and working the way you want but then your BitTorrent usage going out over a VPN or any other maybe just single computer so you can create a policy to route just one computer on your network over the VPN and the rest there this is like I said really nice that this is a turnkey feature and by the way anytime you change something it's really small down at the bottom is if you're looking for the Save button which I did that's the only not complaint but at least challenge I had when I first got the firewall going he's asking me to save things but I can't figure out where to save them it's down here in the bottom right hand corner everywhere and anything you change you want to save so unsafe changes will be lost you want to continue we just go ahead and say yes it takes out of there those are you looking for that more robust level of filtering this does have an SSL inspector and if you're not familiar with it that's the sound spectra is it means you have to add to the trust certificate in order to make this trust your computer so actually go over here as a cell inspector so they have a page really talk about it in detail of how to install the cert you just go HTTP the IP address of your untangle internal firewall slash cert and then we're gonna pull up what it looks like so this is a Windows 10 virtual machine I have set up behind and untangle VPN I'm starting to untangle firewall in my virtual machines and one I actually showed you beginning here the thing about this is running it like this with the SSL inspector turned on didn't really impressed me because one of the problems you weren't you right away is what browsers don't want to use Google Chrome well Google Chrome has certificate pinning in it for the Google Sites so here we are at SSL labs and you can see that hey cool I've got all these things installed and I can pass an SSL cert and SSL cert is fine here I get a privacy here on Google and this is just I want to give a heads up on this they're aware of the problem and it's right here at the bottom SSL inspector does not seem to be working with Google Chrome why new chrome versions use protocol quick to communicate with Google adding firewall rule filter rule to block for for three quick force changes use HTTP also this certificate error so the two problems here is the quic protocol and that and I don't know this is actually in let's dig a little deeper not to get too far our topic let's talk about this real quick a quick guide to quick over on the Cisco blog and I brought up Cisco because people know them as the big commercial firewall company but filtering they have a problem with the quic protocol as well and this is a quic protocol I'll maybe do a video on it soon they just got ratified so your answer a lot of these companies have is to block it so you can filter better but on the other side of it is becoming a standard and all these companies that do any type of filtering are having a really hard time with it so it's not an untangle specific problem it is a problem with this protocol because it's harder to see into the second part is the pinning part of these certificates is a Google thing because so we can't open google.com here in after installing the trusted cert because the SSL inspector is intercepting it and Google doesn't like being intercepted but when you use Microsoft edge with a horror of using edge you notice that Google has no problem with it because Google specifically because they write the Chrome browser they have extra certificates in the Chrome browser that double check and don't like anything in between there's some workarounds I haven't dug into them a lot but I just want to make sure people who may want to try this and want to go full-blown filtering where they put a certificate on each device so that allows visibility into the encrypted tunnels so untangle can do a higher level of filtering and get really specific reports on this that is going to be a problem for you if they're using the Chrome browser I believe it works fine with Firefox and it does work with edge so this want to bring those up real quick close off so outside of that though it works fine if you do turn on SSL like I said I wanted to make sure I tested it let's go back over to the demo we have Oh in kind of related if you wonder why there's an open VPN here the Open VPN installer is the same as I've seen on some of the other firewalls it's the standard Open VPN GUI so you can VPN in when you're setting up the VPN so let's go back over here and close this and I don't have the SSL inspector turned on at my house that's why I showed you the demo that I have here and the reason why is I'm not gonna go put certificates on all the devices in my house I don't like that that's not something I recommend it's something we do only an as-needed in business use cases but certainly I don't recommend it for home but you can do it it's an option I'll quickly cover the open VPN setup once again it's very turnkey everything so far about this firewall was very easy to do no problem just enable it go to the server set your address space add a user add clients it's got its own local directory of users or this does support Active Directory Integration and it's nice having these things out of the box so if you're deploying this in your office and you go hey I just have an act directory server and I want to apply untangle is an easy solution because they have that integration on there so that I've tested the VPN it works perfectly fine no gotchas no long config matter of fact one of the easiest ones I've set up and quite a while you just go here and nothing special needed and you download the Open VPN client and of course they got reporting on the VPN we'll get to reporting last now few these other things and likes it when failover WAM balancer you literally just go ahead and add a second LAN port and test it and it works we did test this and we didn't have any problems with setting up failover we demoed that all these things we've tried so far with it were very easy obvious just to go into now let's look at the config the config is neat back to simplicity here's all the interfaces that are on the box we're using at my house external internal remap interfaces so we can simply remap all of them and you ask well how do you know if an interface is when or LAN and in other firewalls you just have to choose whether or not it's a gateway in this one you just say by address check the box is when it's a static a DHCP or a pppoe that's it done really really straightforward and if you want to rename these interfaces it just names them Gamma Delta Epsilon Zeta so let's go over here interface and - there we go we've now changed a name it's really my overall like this was pretty easy to do and I got him in for doing all this in a web browser it's actually is it's nice and I'm gonna move my head out of the way here move it over here but you get interface statistics drop errors for internal-external so some of these things are still easy enough to do you can see different arpan trees and addresses of all the devices on my network hostname can be changed here service ports forwarding rules which I forward my aunt's estate server from home works fine nat rules bypass rules you can all your standard things you need they have a few troubleshooting tools in here as well ping test dns test connection test trace route download and packet test so if i want to see how fast it can download something they have a couple options here so we're going to go a five-night test from cache fly cool looks like my internet connections working reasonably fast at home these are like it's at nice features you can jump into and take a look at them you can also go into some advanced you know enable the sip NAT helper and a few other things on there so if you're having some trouble figuring these things out you can turn on things like NetFlow and dig into it a little bit further I haven't played with all the different tools on there and for those you wondering it does support by default fair queuing fq coddle which is a pretty hands-off easy-to-use QoS interface and once again it's got full traffic shaping abilities and for the paid version will go back over to apps you do have the bandwidth management so you can get more in depth and create priorities which they have a wizard that makes this really easy to do so you're just running the bandwidth control wizard and where you go i'm administration multiple users system information auto upgrades it asks you if you wanna turn them on yes you can it'll just automatically update the firewall i'm automatic upgrade schedule you check when you wanted to do and what time you wanted to do if you want this or don't upgrade automatically because you want to do it all manually if you have a busy corporate environment that's operating at 24/7 maybe you don't want to upgrade automatically email and event options and an about page now let's get into the reports because this is something i thought they did a nice job on so since today this week so let's let's start digging into Tom's reports where his Tom's people been going so let's look at the web usage you can filter these filtered it for this week I can add a condition to only find my computer but yeah this is this is nice they have just reports stacked down reports stacked down reports I don't have any block sites I guess there's nothing in here so you find something else device reports to device additions to the network I added to chromecast yesterday so I can right away find that I added those this is what time I added them so kind of neat device updates so when devices were taking on an office from people coming over my house and connecting their phones to my network you can run failover reports nothing to report there OpenVPN summary I don't so have Nia don't have any in the last week that I've done any testing with the VPN Televi PN everything is a same commonality of how these reports on their application controls top applications by session so we can dig into what was polling data across top applications by size let's see SSL was 25 gigabytes and quic was 20 gigabytes so that protocol which I don't have blocked is obviously a big part of the internet so here we see Netflix was 1.5 gigabytes of the data I think that fix is probably filtered somewhere in here and maybe I can't see it this is again one of those tricky things a bit tour stuff that's going on on my network so that was when we say flagged applications ah yeah I do flag it in the options and this flagging it creates a report for is flagging it so kind of neat Tom Lords PC it's my gaming computer so we can see that like I said they've got a lot of details in here um the fish blocker I wasn't using and I didn't like I said I didn't think I really filtered too many websites so I can see who's pulling all the web data who ever doubt 198 is and there's ways you can go through and name and DGP sure and all that so I just want to give her this overview of it as a firewall maybe I'll do some more in-depth videos on specific things its extensive but the good news is their documentation is extensive it's a commercial product so you get commercial support with the paid licenses on it they're like I said they're stale staff when I talk to when we're great my overall impressions of this after only using it for a couple weeks was really positive like I said we're gonna become a reseller because we've seen these out in the field and they've always seemed to work really well so this is gonna be just another solution we're not getting rid of every other firewall we've ever talked about we're not a company that focuses on a single vertical single product we only deploy one thing for clients we have deployed things that fit solutions based on their use cases so untangles just another tool in our toolkit of things are gonna be app offering to our clients and it seems to be a really solid product and when I've compared it to some of the other ones out there 48 Meraki so foes it's just the fact that I can't get a price for some of those other companies without digging into it I haven't had a lot experience to Sophos I will have saved my experience to 48 for clients using it has been less than great but my experience with untangle from using it and from talking to my tech friends has been absolutely smooth and wonderful and you can see almost how magical this whole system is and how it works pretty out of the box and turnkey and I didn't need to reference even their support documentation much to just to get it up and going and set up so go ahead 14-day free trial if you want to try it um there's no offer code so I have no affiliation with this company where you're offering it as a solution to our clients so you may buy it as us installing a solution but you just go to untangles website and click buy and download it yourself there's not any affiliate links with this this is not sponsored by untangle this is just me sharing my enthusiasm for it and thanks thanks for watching if you like this video go ahead and click the thumbs up leave us some feedback below to let us know any details what you liked and didn't like as well because we love hearing a feedback or if you just want to say thanks leave a comment if you wanted to be notified of new videos as they come out go ahead to subscribe and the Bell I can tell it's YouTube know that you're interested in notifications hopefully they send them as we've learned with YouTube anyways if you want to contract us for consulting services you go ahead and hit Lauren systems comm and you can reach out to us for all the projects that we can do and help you we work with a lot of small businesses IT companies even some large companies and you can farm different work out to us or just hire us as a consultant to help design your network also if you want to help the channel other ways we have a patreon we have affiliate links you'll find them in the description you'll also find recommendations to other affiliate links and things you can sign up for on lauren systems comm once again thanks for watching and I'll see you in the next video
Info
Channel: Lawrence Systems
Views: 83,822
Rating: undefined out of 5
Keywords: ng firewall, web filter, command center, untangle firewall, home network, untangle review, web filtering software, Open Source, ng firewall review, web filters rant
Id: dmCAePgVSUY
Channel Id: undefined
Length: 32min 32sec (1952 seconds)
Published: Tue Dec 04 2018
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.