SonicWall TZ570

Circumnavigate

Limp Gawd
Joined
Dec 26, 2009
Messages
218
A friend owns a small physical therapy office, his network has 1 server, 4 computers and 6 users. His vendor wants to charge him $5000 for a SonicWall TZ570 with 3 year subscription and $1500 for the install so $6500 total for 3 years of fire wall.

Do you guys think this is worth it or is he getting hosed by this company? Is this firewall overkill for such a small business?
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
821
Lots of questions unanswered to even begin ...

What are the value adds?
Who developed the policy?
Does that cover 3 years of monitoring, maintenance and threat analysis?
What features are included in SonicWall license?
Is remote access VPN included?

Business class firewalls and their proper management aren't the crappy consumer gear most here are used to. That said not sure I'd consider SonicWall in the same sentence as CheckPoint, Cisco, Fortinet and PaloAlto but still better than most of the crap I see people talking about here. I will say that if TLS/SSL deep inspection of all traffic is not part of deal then they're buying nothing beyond a couple millisecond routing speed bump.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,617
Scam....

for that price?

Get a Checkpoint / PaloAlto...better in all senses anyways :D

Also what is on the server? Files I presume?

Any NAT rules required, hopefully not?
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
821
FWIW I looked into this a bit more. That 5K looks to be msrp on hardware + subscription. My guess is that this is an install, build initial policy and walk away deal. Does your friend have the expertise and cycles to manage, monitor and maintain this firewall, or any firewall, on a day to day basis? I would instead suggest he find an MSSP to do this for him and focus on his business. Most MSSP will lease the equipment to the customer so the upfront charges will be less but there will be a recurring monthly charge.
 

Circumnavigate

Limp Gawd
Joined
Dec 26, 2009
Messages
218
FWIW I looked into this a bit more. That 5K looks to be msrp on hardware + subscription. My guess is that this is an install, build initial policy and walk away deal. Does your friend have the expertise and cycles to manage, monitor and maintain this firewall, or any firewall, on a day to day basis? I would instead suggest he find an MSSP to do this for him and focus on his business. Most MSSP will lease the equipment to the customer so the upfront charges will be less but there will be a recurring monthly charge.

Thank you!

He doesn't know very much about computers so I'm assuming he's not maintaining anything. I'll ask him next time I see him.

I will definitely tell him about MSSP's, do you know how I could go about finding a good one to recommend for him? His office is in the Seattle area.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,617
Ya you may even be able to go right thorugh the vendor for actual support, like direct to checkpoint or PaloAlto instead of paying an MSP, but some MSP as well if they have partnerships with the vendors can get gear for cheap, so overall it could cost more, and you get more value through an MSP.

As noted above, you will want a system in place to be sure the devices are patched as often as required, as well as reviewing policies and checking logs for things and adjusting as necessary, NGFW's are not so much just install it and walk away, everything should have eyes on it to some degree, even if it is only once a month.
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,399
Medical offices seem to always get ripped off on their IT. If they're using a cloud based system (which most do), find out what that vendor recommends and just go with that so there's less finger pointing when things get hacked/broken/don't work/etc.

And I looked at the tz570--it's a desktop-class unit that my Watchguard M300 would be on par with--except that I paid $100 for the M300 with almost 2 years warranty remaining as well. The used market for enterprise gear is full of great value if one knows where to look--and a good MSP would be doing just that-not just quoting msrp and ripping people off.
 

Valnar

2[H]4U
Joined
Apr 3, 2001
Messages
3,873
A friend owns a small physical therapy office, his network has 1 server, 4 computers and 6 users. His vendor wants to charge him $5000 for a SonicWall TZ570 with 3 year subscription and $1500 for the install so $6500 total for 3 years of fire wall.

Do you guys think this is worth it or is he getting hosed by this company? Is this firewall overkill for such a small business?
That seems awfully high for a Sonicwall. Agree that Palo Alto and Fortinet are the only two worth considering in that price range. Watchguard can be decent. Say no to Sophos. CheckPoint makes crap in their lower tier. Cisco...sigh...dammit Cisco. I cannot recommend Firepower.

If they don't need a NGFW, then the all kinds of low-end firewalls open up, from pfSense to Ubiquiti.
 
Joined
Dec 6, 2021
Messages
11
Medical offices seem to always get ripped off on their IT. If they're using a cloud based system (which most do), find out what that vendor recommends and just go with that so there's less finger pointing when things get hacked/broken/don't work/etc.

And I looked at the tz570--it's a desktop-class unit that my Watchguard M300 would be on par with--except that I paid $100 for the M300 with almost 2 years warranty remaining as well. The used market for enterprise gear is full of great value if one knows where to look--and a good MSP would be doing just that-not just quoting msrp and ripping people off.
Yeah but then modern medicine goes and rips off their customers with high bills and low service, only to maybe help manage your problem so they can keep billing you as you come back forever.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
821
That seems awfully high for a Sonicwall. Agree that Palo Alto and Fortinet are the only two worth considering in that price range. Watchguard can be decent. Say no to Sophos. CheckPoint makes crap in their lower tier. Cisco...sigh...dammit Cisco. I cannot recommend Firepower.

If they don't need a NGFW, then the all kinds of low-end firewalls open up, from pfSense to Ubiquiti.
If they are a medical provider that takes credit or debit cards then an NGFW with logging will be required to pass any HIPPA or PCI audit. I'd also argue that anything short of NGFW with full tls/ssl decrypt isn't a firewall these days. As for finding an MSSP I'd start with the ISP business office.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
821
What do you mean the ISP business office? Like contact the ISP and just ask them for recommendations?
I assume since this is business that the connection is business account. He should be able to contact his account rep and inquire. Many ISP offer some degree of managed services to their customers. Their's may offer security services and that is where I would suggest they start. If that doesn't work out I'd suggest he look into what his peers are doing or other SMB in the area. Beyond that choose checkpoint, cisco, fortinet or pa and reach out directly and see if they can point to a local source. Given what he's looking at currently I'd swing toward Fortinet, big caveat I run foritnet gear at home and I support it at work so I may be a bit biased :) , as they provide a full stack (firewall, switches, ap) are almost always deliver the bang for the $$. They need to very cognisant that performance is what drives firewall cost. Just because you have a 1Gbps circuit does not mean you need a firewall that decrypt and inspect 1Gbps (2Gbps bidi) of tls/ssl traffic. They need to look at how much throughput they are actually using, account for some growth over the life of the lease, and make a decision. That said, it is better to buy too big than too little so err on side of caution but understand throughput = $$. Unfortunately this is where the expertise comes in and a lot of mistakes happen.

I'm afraid to ask but, what do they have in place today?
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,399
If they are a medical provider that takes credit or debit cards then an NGFW with logging will be required to pass any HIPPA or PCI audit. I'd also argue that anything short of NGFW with full tls/ssl decrypt isn't a firewall these days. As for finding an MSSP I'd start with the ISP business office.
But this will depend on who's processing the card too--if the readers simply pass the data on to their medical billing provider, then that provider is on the hook instead, no?
 

SamirD

Supreme [H]ardness
Joined
Mar 22, 2015
Messages
5,399
I assume since this is business that the connection is business account. He should be able to contact his account rep and inquire. Many ISP offer some degree of managed services to their customers. Their's may offer security services and that is where I would suggest they start. If that doesn't work out I'd suggest he look into what his peers are doing or other SMB in the area. Beyond that choose checkpoint, cisco, fortinet or pa and reach out directly and see if they can point to a local source. Given what he's looking at currently I'd swing toward Fortinet, big caveat I run foritnet gear at home and I support it at work so I may be a bit biased :) , as they provide a full stack (firewall, switches, ap) are almost always deliver the bang for the $$. They need to very cognisant that performance is what drives firewall cost. Just because you have a 1Gbps circuit does not mean you need a firewall that decrypt and inspect 1Gbps (2Gbps bidi) of tls/ssl traffic. They need to look at how much throughput they are actually using, account for some growth over the life of the lease, and make a decision. That said, it is better to buy too big than too little so err on side of caution but understand throughput = $$. Unfortunately this is where the expertise comes in and a lot of mistakes happen.

I'm afraid to ask but, what do they have in place today?
I wouldn't actually talk to a business isp office unless they really know their stuff. Most that I've ever talked to are not up on even basic networking, moreless advanced 'real' firewall tech--they just want to sell you something and get you under a contract.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
821
But this will depend on who's processing the card too--if the readers simply pass the data on to their medical billing provider, then that provider is on the hook instead, no?
I only deal with the backend of PCI audits for firewalls and IPS sensors not the why am I getting audited part. That said it is my understanding that if you handle the cards or the card data in any way your on the hook. In my case I have firewalls and sensors the data traverses and have to provide documentation so ....
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
821
I wouldn't actually talk to a business isp office unless they really know their stuff. Most that I've ever talked to are not up on even basic networking, moreless advanced 'real' firewall tech--they just want to sell you something and get you under a contract.
My experience has been that the actually folks that manage those service are okay. As you say it may be a trick getting there which is why I'd start business account rep vs phoning in and talking to some schmo. I used to have a few coworkers that came from Time Warner Cable's MSSP side of the house and they were pretty bright especially given most folks at TWC could not even spell IP.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,617
Medical offices seem to always get ripped off on their IT. If they're using a cloud based system (which most do), find out what that vendor recommends and just go with that so there's less finger pointing when things get hacked/broken/don't work/etc.

And I looked at the tz570--it's a desktop-class unit that my Watchguard M300 would be on par with--except that I paid $100 for the M300 with almost 2 years warranty remaining as well. The used market for enterprise gear is full of great value if one knows where to look--and a good MSP would be doing just that-not just quoting msrp and ripping people off.
Good MSP do not buy used gear, they buy new for full warranty and support because they don't want to worry about what if issues on used gear being sold on ebay or something. Their reputation goes with what they sell.
 

MrGuvernment

Fully [H]
Joined
Aug 3, 2004
Messages
20,617
If they are a medical provider that takes credit or debit cards then an NGFW with logging will be required to pass any HIPPA or PCI audit. I'd also argue that anything short of NGFW with full tls/ssl decrypt isn't a firewall these days. As for finding an MSSP I'd start with the ISP business office.
Those card machines should not even be on their local network, they should all be either their own dedicated line and gear provided by the processor, or goes over 4G LTE/5G. ? At least in Canada, any client who has payment machines, it is all on their own networks, you do not even touch it.
 
Top