Q&A Hardware UTM firewalls for home and small business.

woodrowbone

Level 10
Verified
Dec 24, 2011
477
Hi guys,
I like to create some discussions, and most of all input from our users when it comes to our first line of defense, the router/firewall.

We have some separate threads in this regard, like Gryphon, Avira SafeThings etc, but I want to create a space where we mixem all up ;)
Let´s compare, twist and turn, pick each others brain when it comes to tweaks, hardware etc.

There are many solutions out there when it comes to build your own router/firewall, often free solutions to install on your own hardware.
With hardware now available in small form factors, it´s getting more and more interesting for entusiasts to build their own solution.

My favorites so far is Untangle (very easy to install and manage), you can even use it to filter traffic behind your present router ,if you install it in bridge mode.

Years ago I used Sophos UTM, harder to setup but I did like the dual AV engines it provided.
Today they seem to only develop their XG version witch I am very interested in, if anyone uses it please share your toughs.

I hope this thread will catch on, as the importance of securing not just your computer, but all other connected stuff gets more important by the day.

/W
 

scorpionv

Level 2
Apr 20, 2020
64
I use Sophos UTM 9 (aka Sophos Home UTM). Steep learning curve and a pain to setup, but it works beautifully.
Sophos XG is the new product, but it seems to be less mature that Sophos UTM 9. So I don't want to make the switch yet.

It is very important to secure your whole network, especially with the cheap IOT stuff that does not get updated a lot.
 

woodrowbone

Level 10
Verified
Dec 24, 2011
477
Back in the day I also used the UTM Home (former Astaro), best in the field then.
Now all development seems to be pointed at the XG version, I hope someone who experienced it will share his/her thoughts here.

/W
 

scorpionv

Level 2
Apr 20, 2020
64
Sophos XG user experiences would be nice indeed, and I would like to know if the Gryphon sits in the same league as well. My impression of the Gryphon is that it is a little less configurable than Sophos, and therefore easier to use, but that impression is based on the Gryphon topic over here. No actual experience.

I do have a spare PC laying around for trying out another firewall/UTM, but my time is very limited atm. We'll see when I get to that.

About hardware, is the Gryphon software installable on any hardware, or do you need to buy the actual router?
 
  • Like
Reactions: Nevi and DDE_Server

woodrowbone

Level 10
Verified
Dec 24, 2011
477
Sophos XG is a ful fledged enterprise UTM, so it should be much more powerful than a Gryphon.
From what I understand, Gryphon is hardware only, no software to play around with.

I did not test XG myself yet, but I hear it is a bit complicated to setup.
You have tons of setting to configure if you like, dual AV:s, ML/AI, country geo blocking, etc, etc...
If you get the time please try it out and see if you find it easy enough to use, I will as soon as I can get a fiber provider here.

/W
 
  • Like
Reactions: Nevi

woodrowbone

Level 10
Verified
Dec 24, 2011
477
Hi guys,
For the last month now I have been running the Sophos XG in bridge mode behind a ASUS RT-AC86U.
The setup is bit tricky, the config even more so, but as soon as you get their way of thinking it gets easier.

Protection wise I do not really know, it is not like you can find homepages out there containing malware, exploits etc that easily to test with.
But so far I have seen blocks from both the AiProtection on the ASUS and the ATP and IDS on the XG.

A strange thing happened when I tested a malware pack in the VM the other day, I just did a static scan of a lot of files, no execution, and the XG stopped a lot of connections from going out with its intrusion system.
I think something in that pack must have reacted to the scan, and did some e tempts to call home, scary!
But at least it shows that a having a first good line of defense is important, what ever security solution you have at your endpoints.

/W
 
  • Thanks
Reactions: Lenny_Fox

MacDefender

Level 14
Verified
Oct 13, 2019
614
I've dabbled in this field a lot. They're hard to rank but this is roughly my ranking:
  1. Sophos UTM 9: By far my favorite in terms of functionality and UI for a home UTM. I don't recommend using it anymore since the maintenance has gone pretty stale on it.
  2. Fortinet "F" series (40F, 60F, 80F). Unless you have symmetric gigabit, the 40F or 60F should suffice. It has a ton of functionality and ridiculous throughput even with all features turned on. Downsides are: It has a pretty steep learning curve, and lots of people criticize their software quality/stability, though I honestly feel the same applies for Sophos, pfSense, and a lot of the other home-grade solutions.
  3. Sophos XG: If you can stand the UI and you don't have much QoS needs, it's acceptable, but personally I find the UI to be a total mess in terms of usability, geared towards looking pretty.
  4. Cisco Meraki MX: If you can afford it, this is one of the most elegant all-in-one boxes money can buy. It's got a dead simple web UI and has a good selection of AV, IPS, and filtering features. Cisco's quality really reflects, I've almost never had a false positive or had it break any websites/apps, which is a common nuisance with most other vendors' UTM features. Main downsides are the licensing costs for Advanced Security, as well as the limited throughput capabilities (strictly 450mbps or slower even for NAT)
  5. pfSense: I ranked this lower mainly because it's not technically a UTM, but you can get close. Paying for ET or Snort VRT rules gets you a pretty solid IPS and pfBlocker is like a piHole on steroids, both DNS and IP based blocking. In practice it comes pretty close to the protection level of a commercial UTM solution and has a lot more tweakability since it's just a FreeBSD machine.

Overall I would say, if you don't want to pay for anything, choose between Sophos XG or pfSense, and be really honest about how much you want commercial free UTM abilities. Honestly I regret the one deployment of Sophos XG I did.

If you are willing to pay ongoing fees, I would recommend Fortinet or Meraki. They both have different strengths so it's hard for me to rank them.
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,684
All these hardware devices will affect your throughput especially if you have Gbps line. If you are still having Mbps line then it's ok. And if you want high throughput then you need to pay for the more expensive models.

Edit - Changed Kbps to Mbps
 
Last edited:
  • Like
Reactions: Nevi

MacDefender

Level 14
Verified
Oct 13, 2019
614
All these hardware devices will affect your throughput especially if you have Gbps line. If you are still having Kbps line then it's ok. And if you want high throughput then you need to pay for the more expensive models.
Fortinet is a pretty notable exception to that. The 40F is $360 and does 1gbit IPS and 4+gbit IPsec VPN with AES256-SHA256. The 60F costs about $600 and is even faster, which is my recommendation for gigabit.

They build their own chips and almost everything gets hardware offloaded after the first packet is processed on CPU.

1606953723096.png
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,684
Fortinet is a pretty notable exception to that. The 40F is $360 and does 1gbit IPS and 4+gbit IPsec VPN with AES256-SHA256. The 60F costs about $600 and is even faster, which is my recommendation for gigabit.

They build their own chips and almost everything gets hardware offloaded after the first packet is processed on CPU.

View attachment 250293

Those throughputs reflected in the table are enabling a single protection feature each or ALL the protection features simultaneously?

As a user I would like to enable ALL the protection features simultaneously

Also, looking at the models you can see that they are more for enterprise use like having 2Gbps throughput and above. For home users having 1 Gbps is more than adequate unless you are running two(2)x1Gbps lines for gaming or operating a business at home
 
Last edited:
  • Like
Reactions: Nevi

MacDefender

Level 14
Verified
Oct 13, 2019
614
Those throughputs reflected in the table are enabling a single protection feature each or ALL the protection features simultaneously?

As a user I would like to enable ALL the protection features
"IPS" is just IPS but NGFW is IPS + web filtering and "threat protection" is all of that plus AV scanning and SSL decrypting/reencrypting.

Note that because Fortinet uses special ASICs for offloading, all of those things use separate hardware. Like just because you are pushing 1gbps through IPS, you can still push 6gbps through IPSec because the AES engine is separate from the IPS engine.

The numbers are a little hard to believe but yeah I am comfortably using a FG-61F to do symmetric gigabit upload and download. I've only had one or two workloads where the device couldn't offload and limited my throughput at 800mbps.
 
  • Like
Reactions: HarborFront

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,684
"IPS" is just IPS but NGFW is IPS + web filtering and "threat protection" is all of that plus AV scanning and SSL decrypting/reencrypting.

Note that because Fortinet uses special ASICs for offloading, all of those things use separate hardware. Like just because you are pushing 1gbps through IPS, you can still push 6gbps through IPSec because the AES engine is separate from the IPS engine.

The numbers are a little hard to believe but yeah I am comfortably using a FG-61F to do symmetric gigabit upload and download. I've only had one or two workloads where the device couldn't offload and limited my throughput at 800mbps.
Do you add your VPN to it? How much throughput are you getting before and after adding the VPN? Adding your VPN will definitely drop the throughput further like what is happening to my router after adding my own VPN to it

Can I know whether you need to pay subscription in using its software, upgrades etc?
 
Last edited:

MacDefender

Level 14
Verified
Oct 13, 2019
614
Do you add your VPN to it? How much throughput are you getting before and after adding the VPN? Adding your VPN will definitely drop the throughput further like what is happening to my router after adding my own VPN to it

Can I know whether you need to pay subscription in using its software, upgrades etc?
Yeah I run a site to site VPN as well as client dial in VPN. I have internally simulated 1gbps IPSec AES256-SHA256 and still 1gbps IPS over the WAN. Again unlike a router, Fortinet SoCS have dedicated offload resources so it doesn’t all clog at the CPU.

fortigate has many subscription levels. You need a basic support subscription to get software updates. The more expensive ones enable AV, IPS, etc
 
  • Like
Reactions: HarborFront

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,684
Yeah I run a site to site VPN as well as client dial in VPN. I have internally simulated 1gbps IPSec AES256-SHA256 and still 1gbps IPS over the WAN. Again unlike a router, Fortinet SoCS have dedicated offload resources so it doesn’t all clog at the CPU.

fortigate has many subscription levels. You need a basic support subscription to get software updates. The more expensive ones enable AV, IPS, etc
FI, I'm looking at the FG-60F datasheet now. The FG-60F is avaialble in my country and its specs is same as the F61 except the latter comes with an onboard 128GB SSD.

The FortiWiFi 60F/61F models come with wireless feature but NO WiFi6 support which is not suitable as more laptops/handphones nowadays are having WiFi6 support. Anyway this model is not available in my country

Do I still need my home router if I get the FG-60F? Is it possible to integrate the FG-60F to my home WiFi6 router? and how to handle two(2) firewalls in this case?

Thanks
 
Last edited:

MacDefender

Level 14
Verified
Oct 13, 2019
614
FI, I'm looking at the FG-60F datasheet now. The FG-60F is avaialble in my country and its specs is same as the F61 except the latter comes with an onboard 128GB SSD.

The FortiWiFi 60F/61F models come with wireless feature but NO WiFi6 support which is not suitable as more laptops/handphones nowadays are having WiFi6 support. Anyway this model is not available in my country

Do I still need my home router if I get the FG-60F? Is it possible to integrate the FG-60F to my home WiFi6 router? and how to handle two(2) firewalls in this case?

Thanks
I don’t recommend using Fortinet’s Wi-Fi. They bought Meru and they were not a very good player in the industry to begin with. I think the 60F is a fine choice.
For Wi-Fi if your Router has a “AP mode” where it doesn’t do NAT/DHCP but just bridges the wired ports to wireless it will work fine with the 60F. Otherwise you should consider getting a wireless access point. Ubiquiti is one of the most popular prosumer or semi-enterprise Wi-Fi vendors.
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,684
I don’t recommend using Fortinet’s Wi-Fi. They bought Meru and they were not a very good player in the industry to begin with. I think the 60F is a fine choice.
For Wi-Fi if your Router has a “AP mode” where it doesn’t do NAT/DHCP but just bridges the wired ports to wireless it will work fine with the 60F. Otherwise you should consider getting a wireless access point. Ubiquiti is one of the most popular prosumer or semi-enterprise Wi-Fi vendors.
If I'm not wrong WiFi6 started off first in the consumer side. Enterprise devices generally will come later.

Anyway I just spoke to the distributor of the FG and was told that to integrate the F60 to my router I'll need to disable my router's firewall and use as an Access Point (like you mentioned) and my own VPN. I can to connect to my devices wirelessly using WiFi6 without needing to buy a separate Access Point.

In our home we generally have PC/laptop/tablet/handphone/IoT devices

Apparently, the FG-60F bundle comes with the UTM Protection only and according to the spec sheet it does NOT cover IoT Detection in its FortiGuard IoT Detection Service which is covered in the Enterprise Protection and 360 Protection

Now does that means my IoT devices are not detected and protected using only the UTM Protection unless I subscribe for the Enterprise Protection? See below picture
plk.png
 
Last edited:
  • Like
Reactions: harlan4096

MacDefender

Level 14
Verified
Oct 13, 2019
614
IoT detection is a specific layer of additional protection that in my opinion is not necessary for a home network. It is meant to protect industrial automation sensors and guard against employees bringing IoT devices onto your corporate network.

In my opinion the “950” UTM bundle is the best bundle to buy. I would suggest at least one year of that with your 60F. After a year you can perhaps decide if there’s features you don’t use and hence can save money by ordering a smaller package.

FYI both enterprise and consumer Wi-Fi 6 access points are widely available now. At least in the US, not sure about your regulatory domain. In my opinion Cisco Meraki makes the best wireless access points on the market. Ubiquiti makes the cheapest.
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,684
IoT detection is a specific layer of additional protection that in my opinion is not necessary for a home network. It is meant to protect industrial automation sensors and guard against employees bringing IoT devices onto your corporate network.

In my opinion the “950” UTM bundle is the best bundle to buy. I would suggest at least one year of that with your 60F. After a year you can perhaps decide if there’s features you don’t use and hence can save money by ordering a smaller package.

FYI both enterprise and consumer Wi-Fi 6 access points are widely available now. At least in the US, not sure about your regulatory domain. In my opinion Cisco Meraki makes the best wireless access points on the market. Ubiquiti makes the cheapest.
For home users IoT devices will encompass windows/door alarms, smoke and gas detectors, IP cameras, smart TVs, android TV boxes etc. All these need to be protected because you can't protect with an AV or security software unlike PC/laptop/tablet/handphone

Can you provide a link to this “950” UTM bundle? Thanks

The FG distributor's website in my country don't have pricing for the different bundles.
 

MacDefender

Level 14
Verified
Oct 13, 2019
614
For home users IoT devices will encompass windows/door alarms, smoke and gas detectors, IP cameras, smart TVs, android TV boxes etc. All these need to be protected because you can't protect with an AV or security software unlike PC/laptop/tablet/handphone

Can you provide a link to this “950” UTM bundle? Thanks

The FG distributor's website in my country don't have pricing for the different bundles.
IoT devices are protected by the same UTM, firewall, DNS filtering and so on packages. The IoT protection bundle mainly gets you automated detection of IoT devices so you can write policies that automatically put them on a VLAN. You can do that manually too for the same protection which is what I do. Manage IoT devices with the IoT FortiGuard Security Service

It’s kind of cool but IMO a waste of money for a home network. It’s really for networks like corporations where you cannot control what hundreds of employees might be plugging into the network.

For the US here’s an example of the 950 bundle: Fortinet FortiGate 60F - security appliance - with 3 years 24x7 FortiCare a - FG-60F-BDL-950-36 - Firewalls/UTMs - CDW.com

950 just is the middle of the part number which describes the UTM package.
 

HarborFront

Level 57
Verified
Content Creator
Oct 9, 2016
4,684
IoT devices are protected by the same UTM, firewall, DNS filtering and so on packages. The IoT protection bundle mainly gets you automated detection of IoT devices so you can write policies that automatically put them on a VLAN. You can do that manually too for the same protection which is what I do. Manage IoT devices with the IoT FortiGuard Security Service

It’s kind of cool but IMO a waste of money for a home network. It’s really for networks like corporations where you cannot control what hundreds of employees might be plugging into the network.

For the US here’s an example of the 950 bundle: Fortinet FortiGate 60F - security appliance - with 3 years 24x7 FortiCare a - FG-60F-BDL-950-36 - Firewalls/UTMs - CDW.com

950 just is the middle of the part number which describes the UTM package.
Went to the website and it shows the same bundle as what's being offered in my country

Bundled Services : 24x7 FortiCare and FortiGuard Unified (UTM) Protection

Not sure mine is offered as a 1 yr or 3 yr bundle
 
Top