replacement for sonicwall tz200

[Corporal79]

I have a side gig that I do some work for and they've had a Sonicwall TZ200 device in their branch office and also in their data center that has a site to site VPN connection between the two devices. About a month ago the bandwidth throughput got severly decreased. They went from getting about 28Mbps/27Mbps to now ~3Mbps/12Mbps.

I've spent days troubleshooting with Sonicwall which could be a whole dedicated thread on it's own but I digress. I even had the ISP come out and test the line and when they hooked up their own laptop it got the speeds it should be getting. I've rebuilt the config on the sonicwall from scratch which was a major pain in the ass because I'm not a firewall guy by any means. After firmware updates and pulling my hair out I've decided to dump the tz200, to what I don't know. I need two devices, one for the data center and one for the branch office. I'm pretty sure something in the config is causing this and after being escalated to the highest level at sonicwall and them sending me a replacement unit which I rebuilt the config on and also tried to import the old settings with no luck. I very well could have done something or made a change to cause this but I'm at a loss and willing to try another product.

I get spammed from Barracuda all the time, do they have quality devices? Something with a web interface would be great since I'm not a firewall guru by any means and had set up a bunch of address objects with NATs and all that.

Any and all suggestions are welcome, please keep the cost reasonable and not some $5k resolution because this company definitely can't afford that.

Thanks!

 

[dashpuppy]

I have a side gig that I do some work for and they've had a Sonicwall TZ200 device in their branch office and also in their data center that has a site to site VPN connection between the two devices. About a month ago the bandwidth throughput got severly decreased. They went from getting about 28Mbps/27Mbps to now ~3Mbps/12Mbps.

I've spent days troubleshooting with Sonicwall which could be a whole dedicated thread on it's own but I digress. I even had the ISP come out and test the line and when they hooked up their own laptop it got the speeds it should be getting. I've rebuilt the config on the sonicwall from scratch which was a major pain in the ass because I'm not a firewall guy by any means. After firmware updates and pulling my hair out I've decided to dump the tz200, to what I don't know. I need two devices, one for the data center and one for the branch office. I'm pretty sure something in the config is causing this and after being escalated to the highest level at sonicwall and them sending me a replacement unit which I rebuilt the config on and also tried to import the old settings with no luck. I very well could have done something or made a change to cause this but I'm at a loss and willing to try another product.

I get spammed from Barracuda all the time, do they have quality devices? Something with a web interface would be great since I'm not a firewall guru by any means and had set up a bunch of address objects with NATs and all that.

Any and all suggestions are welcome, please keep the cost reasonable and not some $5k resolution because this company definitely can't afford that.

Thanks!

OH i know how to fix that want a screen shot or a pm ?

P.s what firmware is currently on the 200?

 

[Jay_2]

If you can't fix it go for an ASA5505

 

[/usr/home]

^ +1.

Unless you are the guy who says ASAs aren't firewalls

 

[Nate7311]

They aren't... J/K

If you can't fix the issue, either a pair of ASA's or Juniper SSG's.

 

[dashpuppy]

See if your firewall is set to this.

if it is set to Maximum Security, your through put will be cut in half. When i had it turned on, my max download was 13mb, with it off my max is 49mb on my 50mb down connnection.


Dash.

 

[calvinj]

There is also a setting on the diag.html side that you should bump up from the default settings. We had download problems and after doing all of that easy as could be

 

[Database]

Yeah, I was going to say to check the security services... The scanning traffic can really hurt bandwidth.

 

[Mackintire]

Zyxel USG 300 would also be a good upgrade. Not as good as a ASA 5510, but far better than the 5505.
Its freebsd based and has a built in hardware VPN accelerator.
Do not turn on IDP or AV, those two settings will pull this unit's performance way down.

You can use the content filtering and Antispam and it will sustain 60-70 mbps with 200+ users beating on it with no issues. 100 VPN users with on 15% avg load.

Small net builder has two reviews on the lower end models in this series.

 

[Tha_Bomb]

Since I love pfsense: use this with a crypto accelerator they sell and aes-based openvpn. About $500 for both devices.

http://soekris.com/products/net4511-1.html

Crypto: http://soekris.com/products/vpn14x1/vpn-1411.html

Power supply: http://soekris.com/products/psu/psu-12v-1-5a-110.html

And put pfsense on there. There's a build of pfsense specifically for the soekris box.

 

[Jay_2]

I would say the Zyxel USG 300 was more in line with the 5510 price wise.

 

[marley1]

ZyXel would be my choice.

 

[Mackintire]

Jay... do you have access to some steeply discounted Cisco stock?

A quick google shopping look up shows:

Zyxel USG300 $998

Cisco ASA5510 $1695

 

[Mackintire]

All suggestions are good but different.

Zyxel USG300

PFSense box

ASA5510

Juniper SSG20 or better may also work.

 

[dashpuppy]

Jay... do you have access to some steeply discounted Cisco stock?

A quick google shopping look up shows:

Zyxel USG300 $998

Cisco ASA5510 $1695

those Zyxel's are $$$$$$ to re-subscribe when the subscription runs out

 

[Mackintire]

Zyxel USG antispam is free.

Th CF module ICCF1YUSG300 is $220 per year, but its crazy good. Keep in mind that you can do basic CF for free.

The AV is expensive.

The IDP is not worth the performance penalty it unless you buy a USG1000 or higher.

Even with all that, they are fantastic VPN boxes.

 

[cytech]

juniper ssg5 will do you 40mbps ipsec, not sure what they go for in the US but you should be able to get one for well under 1000

 

[Wrench00]

if you go to you router

go to login into the sonicwall


http://routerip/mail.html

After you login go to

http://routerip/diag.html

then uncheck CFS Tagging.


If you have cable make ie motorola modems set your want MTU to 1404
Also make sure your zones have the correct services applied to them. IE. If you trust your lan turn off AntiVirus on the lan zone just keep it on the wan zone.

 

[cyr0n_k0r]

Jay... do you have access to some steeply discounted Cisco stock?

A quick google shopping look up shows:

Zyxel USG300 $998

Cisco ASA5510 $1695

Why do you need a 5510?
A 5505 will work fine for your needs. They are less than $500.

 

[Corporal79]

See if your firewall is set to this.

if it is set to Maximum Security, your through put will be cut in half. When i had it turned on, my max download was 13mb, with it off my max is 49mb on my 50mb down connnection.


Dash.

checked that and performance optimized is the current selection.

There is also a setting on the diag.html side that you should bump up from the default settings. We had download problems and after doing all of that easy as could be

any more detail on this?

if you go to you router

go to login into the sonicwall


http://routerip/mail.html

After you login go to

http://routerip/diag.html

then uncheck CFS Tagging.


If you have cable make ie motorola modems set your want MTU to 1404
Also make sure your zones have the correct services applied to them. IE. If you trust your lan turn off AntiVirus on the lan zone just keep it on the wan zone.

unchecked CFS tagging.

Ran another speedtest from speedtest.net and also TW Telecom's speedtest site, 7.25 down and 9.57 up, awful. This is a 30/30 connection.

Any other ideas?

Again keep in mind I know just enough to get myself in deep water with firewalls. I don't know anything about Cisco's or the CLI so something with a web interface to setup would be ideal.

 

[dashpuppy]

checked that and performance optimized is the current selection.



any more detail on this?



unchecked CFS tagging.

Ran another speedtest from speedtest.net and also TW Telecom's speedtest site, 7.25 down and 9.57 up, awful. This is a 30/30 connection.

Any other ideas?

Again keep in mind I know just enough to get myself in deep water with firewalls. I don't know anything about Cisco's or the CLI so something with a web interface to setup would be ideal.

Current firmware on unit ?

 

[Corporal79]

Current firmware on unit ?

oops, missed that in your other post.

SonicOS Enhanced 5.8.1.3-1o

 

[dashpuppy]

oops, missed that in your other post.

SonicOS Enhanced 5.8.1.3-1o

can you log into it then watch your cpu and do a speed test ? see if your cpu is maxed out ?

I would assume you have rebooted it right ?

 

[Corporal79]

can you log into it then watch your cpu and do a speed test ? see if your cpu is maxed out ?

I would assume you have rebooted it right ?

CPU is really low, it's been rebooted dozens of times

 

[Corporal79]

any other suggestions? I was looking at the ASA 5505 but diving into Cisco CLI isn't really something I was hoping to get into right now. It would probably take me longer to set up and figure out how to manage than getting something with an easier interface.

Has anyone actually used any Barracuda products?

 

[R3d]

The ASA's don't have to be configured via the CLI, they have a gui login as well through ASDM. There's a bunch of wizards and such to help walk you through initial setups and VPN's. The 5505 is quite a solid device for the cost.

 

[dashpuppy]

The ASA's don't have to be configured via the CLI, they have a gui login as well through ASDM. There's a bunch of wizards and such to help walk you through initial setups and VPN's. The 5505 is quite a solid device for the cost.

Asa's cant do what a sonicwall can tho...

 

[R3d]

What features are you talking about Dash?

 

[dashpuppy]

What features are you talking about Dash?

Application flow ? Monitoring ? I think i did a comparison a few months ago...

Does the asa 5505 have av @ the gateway ? spyware at the gateway ? ssl vpn ? vlan suppoprt ?

I personally like the application monitoring, tells me what is being mostly used etc etc.

Id take a sonicwall over a asa anyday..

 

[dashpuppy]

Found this in a pdf from google.

 

[Nate7311]

We're back to talking about an extended FW feature set versus an evolving UTM device... + licensing, etc.

 

[Valnar]

Application flow ? Monitoring ? I think i did a comparison a few months ago...

Does the asa 5505 have av @ the gateway ? spyware at the gateway ? ssl vpn ? vlan suppoprt ?

An ASA has SSL VPN, and probably the most common one out there (AnyConnect). There is even an iPhone version of it. ASA's also support vlans. Spyware and AV? No, because it's a firewall, and a high-end one at that, not a UTM.

 

[dashpuppy]

An ASA has SSL VPN, and probably the most common one out there (AnyConnect). There is even an iPhone version of it. ASA's also support vlans. Spyware and AV? No, because it's a firewall, and a high-end one at that, not a UTM.

Sonicwall has a ssl vpn iphone IPAD and mac pc client too.

 

[Redbeard80]

Also if you are a fan of GUIs, you might consider a Watchguard model. You can certainly find one in your price bracket.

 

[Mackintire]

I'd stay the hell away from watchguard. Expensive as hell.

 

[Corporal79]

the saga continues...

I'm getting jerked around by the Barracuda sales guy trying to get me to add on every single license they offer.

At this point I'm almost thinking of just getting some hardware and throwing pfsense or untangle on it. Normally I'd be weary of putting a self built device to handle this role but it might work in this case.

I know this generally a no no but aside from just pulling the trigger and stumbling through an ASA 5505, Barracuda F100 or a Watchguard XTM 22 on my own skipping all sales channels.

Thoughts?

 

[/usr/home]

I vote Cisco ASA5505.

We use old Barracudas here at work for our Spam and Webfilter. They are the 300 and 400 series I believe. We just had a PSU die in one, cracked her open, here it's a shitty MSI board with a no-name PSU and no-name RAM. It had SATA onboard, but no, they had to use IDE because they just had to cheap it out as much as possible. I wasn't impressed. The actual filtering works great however, but the hardware is cheap. I don't know if it's improved at all since then.

 

[Corporal79]

I vote Cisco ASA5505.

We use old Barracudas here at work for our Spam and Webfilter. They are the 300 and 400 series I believe. We just had a PSU die in one, cracked her open, here it's a shitty MSI board with a no-name PSU and no-name RAM. It had SATA onboard, but no, they had to use IDE because they just had to cheap it out as much as possible. I wasn't impressed. The actual filtering works great however, but the hardware is cheap. I don't know if it's improved at all since then.

thanks for the reply.

I don't know much about Cisco hardware, can this device do any content filtering?

Also how does the licensing work? There is a total of 21 users who will be in the office using internet and there will be a site to site VPN going to the datacenter along with ~5 remote users who would need outside VPN access.

 

[Corporal79]

I hope it's cool to resurrect this thread since it's my own but I wanted to follow up on this and I had another question about configuring the Sonicwall.

The culprit ended up being a small 5 port switch (Netgear GS105) that the ISP's connection goes into and then one cable goes to the sonicwall WAN interface and one cable goes out to the company's Allworx device.

If I run the ISP's ethernet directly to the Sonicwall I get the full speeds. If I unplug the Allworx from the switch I get full speeds but as soon as I introduce the Allworx into the switch throughput is sliced in half or more.

During some troubleshooting with Time Warner Telecom they suggested I take the switch out of the picture and configure a free interface on the Sonicwall to handle the Allworx traffic then I should be good. Sounds logical to me.

Since the Allworx needs internet access so remote users phones can hook up to it, how should I configure the interface? Would I use the same IP information as I have configured for the X1? Or is there another way to give the X2 interface connectivity to the world?

 

[dashpuppy]

I hope it's cool to resurrect this thread since it's my own but I wanted to follow up on this and I had another question about configuring the Sonicwall.

The culprit ended up being a small 5 port switch (Netgear GS105) that the ISP's connection goes into and then one cable goes to the sonicwall WAN interface and one cable goes out to the company's Allworx device.

If I run the ISP's ethernet directly to the Sonicwall I get the full speeds. If I unplug the Allworx from the switch I get full speeds but as soon as I introduce the Allworx into the switch throughput is sliced in half or more.

During some troubleshooting with Time Warner Telecom they suggested I take the switch out of the picture and configure a free interface on the Sonicwall to handle the Allworx traffic then I should be good. Sounds logical to me.

Since the Allworx needs internet access so remote users phones can hook up to it, how should I configure the interface? Would I use the same IP information as I have configured for the X1? Or is there another way to give the X2 interface connectivity to the world?

what is the "allworx" device ? this will help us more