pfSense as Enterprise Firewall

[Stugots]

How would pfSense be in an enterprise environment?

My company currently has an aging Checkpoint firewall and are very reluctant to pay for updated/new licenses and new appliances. I was told to look into cheaper (a.k.a. free) solutions and started messing around with pfSense a little bit. It seems to have everything I would need, but I'm not sure if it would be robust enough to replace Checkpoint. We have a user base of around 500-1000 users.

 

[C7J0yc3]

I currently use pfSense in 100-150 user environments without issue. What kinds of features are you looking for?

 

[Jgedeon]

How would pfSense be in an enterprise environment?

My company currently has an aging Checkpoint firewall and are very reluctant to pay for updated/new licenses and new appliances. I was told to look into cheaper (a.k.a. free) solutions and started messing around with pfSense a little bit. It seems to have everything I would need, but I'm not sure if it would be robust enough to replace Checkpoint. We have a user base of around 500-1000 users.

May I ask what version of Checkpoint are you comparing to pfSense? I'm trying to understand how pfSense has everything you need. I do understand the cost of checkpoint but I think you are not comparing two similar products.

 

[Stugots]

May I ask what version of Checkpoint are you comparing to pfSense? I'm trying to understand how pfSense has everything you need. I do understand the cost of checkpoint but I think you are not comparing two similar products.

R65

 

[YeOldeStonecat]

What features are you in need of? Replacing Checkpoint....you may need to look towards a more UTM class product.

 

[Jgedeon]

R65

I'm really not sure how you can compare pfSense to Checkpoint R65. One example is your default protocol filtering. Allowing the service http out to the Internet is not the same as allowing traffic out tcp port 80 to the Internet.

 

[obrith]

As others have said, it depends on your needs but it very likely can satisfy them.

I'm running pfSense at several offices, the main campus having ~150 users (450+ networked devices), all OpenVPN'd together for file and VOIP access. We use a large number of advanced features (and growing), such as CARP, OSPFd (for VPN HA), load balancing (both incoming for the DMZ and outgoing for WAN failover), flow monitoring, certificate management, DHCP relay for our VLANs, etc... With soon to be rolled out features like Snort, A/V proxy, Active Directory OpenVPN authentication (two factor, on top of certs), and extremely fine-grained access control for our OpenVPN.

It's an extremely robust firewall if you have time to configure it properly (or pay a very reasonable rate for BSDPerimeter -the devs- to do it or help: portal.pfsense.org).

 

[xenarc]

As others have said, it depends on your needs but it very likely can satisfy them.

I'm running pfSense at several offices, the main campus having ~150 users (450+ networked devices), all OpenVPN'd together for file and VOIP access. We use a large number of advanced features (and growing), such as CARP, OSPFd (for VPN HA), load balancing (both incoming for the DMZ and outgoing for WAN failover), flow monitoring, certificate management, DHCP relay for our VLANs, etc... With soon to be rolled out features like Snort, A/V proxy, Active Directory OpenVPN authentication (two factor, on top of certs), and extremely fine-grained access control for our OpenVPN.

It's an extremely robust firewall if you have time to configure it properly (or pay a very reasonable rate for BSDPerimeter -the devs- to do it or help: portal.pfsense.org).

All features a Check Point has/can have(along with many more), with added protocol inspection(as jgedeon stated), IP spoofing protection, and probably the best built in logging utility I've ever seen on a firewall.

I'm not trying to knock pF, everything you stated can be done with pretty much any firewall you get. You are just adding features onto an iptables firewall(essentially).

Any firewall you build will rely heavily on the hardware/resources it has available. pF could definitely handle a good share of network traffic. You just can't compare the level of security provided by pF to Check Point.

Hope this helps.


Background: I currently manage multiple Check Point UTM/Edge/SPLAT(Open server based OS) devices, Multiple pF devices, multiple ASA devices, and have worked on Juniper(Netscreen OS) along with Palo Alto.

 

[obrith]

All features a Check Point has/can have(along with many more), with added protocol inspection(as jgedeon stated), IP spoofing protection, and probably the best built in logging utility I've ever seen on a firewall.

I'm not trying to knock pF, everything you stated can be done with pretty much any firewall you get. You are just adding features onto an iptables firewall(essentially).

Any firewall you build will rely heavily on the hardware/resources it has available. pF could definitely handle a good share of network traffic. You just can't compare the level of security provided by pF to Check Point.

Hope this helps.


Background: I currently manage multiple Check Point UTM/Edge/SPLAT(Open server based OS) devices, Multiple pF devices, multiple ASA devices, and have worked on Juniper(Netscreen OS) along with Palo Alto.

I don't really have time or energy to argue but I will point out that both of your "added features" are available on pfSense 2.0 (L7 filtering and IP spoofing protection - at least to some degree).

That said I have not used a Check Point device.

 

[xenarc]

I don't really have time or energy to argue but I will point out that both of your "added features" are available on pfSense 2.0 (L7 filtering and IP spoofing protection - at least to some degree).

That said I have not used a Check Point device.

It's a forum, you can take all the time you require. The L7 filtering is with snort, an IDS. IP Spoofing is not anti-spoofing. Anti-spoofing is defining the networks that reside behind your network interface card, lowering the chance of a rogue IP from traversing your firewalls rulebase and thus on to your network.

 

[thefreeaccount]

I think you should be looking at something like Untangle Premium/ClearOS Premium/Endian Std package. They all require fees, but they're much cheaper than Checkpoint.

AFAIK pfsense is an extremely basic firewall - it can't even show or shape traffic based on per-user bandwidth.

 

[dashpuppy]

I think you should be looking at something like Untangle Premium/ClearOS Premium/Endian Std package. They all require fees, but they're much cheaper than Checkpoint.

AFAIK pfsense is an extremely basic firewall - it can't even show or shape traffic based on per-user bandwidth.

Hey! You said Untangle!

 

[Jgedeon]

It simply doesn't make a lot of economic sense to take a perfectly good software license and trade that in for an overpriced appliance (any appliance would fall into that category). If you are in need of a brand new firewall, where you do not already own the license, the properly sized appliance makes some sense.

 

[YeOldeStonecat]

AFAIK pfsense is an extremely basic firewall - it can't even show or shape traffic based on per-user bandwidth.

It certainly can show traffic based on per user...and with even more detail with the "BandwidthD" add-on. It can also control traffic "per user" on one user, the "penalty box" feature. I've never looked into doing that to more than 1 user though.

 

[thefreeaccount]

How do I get it to show bandwidth per user? All I see is per IP address when I search.

 

[athlon1.2]

AFAIK pfsense is an extremely basic firewall - it can't even show or shape traffic based on per-user bandwidth.

pfSense 2.0 can do this. You create a bandwidth rule, which has an option "per source IP," then you assign that bandwidth rule to a firewall rule and the bandwidth rule is applied per source (LAN) IP address.