Need a VPN Firewall Router recommendation

I have a client with a main office of about 50 users and two satellite offices of about a dozen each. At the main office they have been getting by with a Netgear ProSafe VPN router and it should be replaced as it is fairly old and we feel like it is flaky (needs to be rebooted regularly, etc.).

The new router will hopefully cost around $600 to $900 but maybe more if it is well featured; I expect that a true firewall will have some sort of recurring subscription fee to keep protection updated, etc. (The current one does not do this.)

What I need it to do:

Dual WAN ability for Fail-over and/or Load Balancing.

Site-to-Site VPN for the two satellite locations and better if not limited to only two. Nothing too fancy here; pretty much the basic SHA1 3DES yada yada…

Web Content Filtering for LAN users. Need to be able to block sites based on urls, domains, categories and/or keywords. Further, need to be able to segment the LAN population (by either IP or MAC) into groups such that we can restrict different departments in different ways or else provide a by-pass passcode that the chosen few can enter to get around the web restrictions.

My tried-and-true Sonicwall firewalls have gotten rather stupid in some of these areas. Many don’t do dual-WAN (or not very well or intuitively) and the Content Filtering is completely arcane and nonsensical requiring you to have an internal webpage to host varying certificates, etc.

We found netgear to be pretty terrible, we have almost all of them removed from our network now. We are primarily Sonicwall and fairly happy with them. Depending on the model it can do everything you are talking about; we use them for a 12x mesh network which was kind of a pain to setup as you can imagine. That’s pretty much the limit though, you can’t have more site to site networks than 12 or 16 I think (at least with out paying more if it’s possible at all).

If you want absolute stability go Cisco. You will end up paying quite a bit more and it will be more difficult to setup, but you will get your stability. Every couple of months one of our Sonicwalls needs to be rebooted (takes a minute) because the VPN dropped or the GUI crashed.

Might try looking at the Check Point Safe@ or UTM-1 Edge ranges. Both should meet your functionality requirements. Safe@ should be in the budget, Edge a little more than that. There will usually be an annual support component attached to these which covers updates to bits of the UTM (Unified Threat Management) functionality (AV/AS, URL Filtering, etc). Typically true for most commercially recommended stuff (probably including the Sonicwall’s you are familiar with). If you plan on upgrading the other sites later, Edge would be preferred as they can be centrally managed.

Another option might be the Juniper SRX range, in particular the SRX110 or SRX210. Don’t recall the price range of these though. SRX110 might be ok, but the SRX210 may be stretching.

http://www.juniper.net/us/en/products-services/security/srx-series/srx110/

http://www.juniper.net/us/en/products-services/security/srx-series/srx210/

If you want absolute stability go Cisco.

Pffft! Cisco haven’t been a player in the security space since the PIX days! ;)

That said, you will pick up an 800 series router in your price range as well. As mentioned, will certainly do the job but will be more cumbersome to configure. Most other vendors still tend to be more approachable in their approach to configuration and GUI than Cisco.

Disclaimer - I have sold all these in the past, but I am not an engineer, so I have never deployed and managed in an environment! I also come from primarily an Enterprise sales background so I would typically never recommend anything from the consumer space (Netgear, Linksys, etc) for business use.

No idea honestly, I can just say I never have to fiddle with our Cisco stuff after I set it up. I just hate setting it up.

Looks like we may go with a Fortinet FortiGate 60C.