Q&A Hardware UTM firewalls for home and small business.

MacDefender

Level 14
Verified
Oct 13, 2019
629
Went to the website and it shows the same bundle as what's being offered in my country

Bundled Services : 24x7 FortiCare and FortiGuard Unified (UTM) Protection

Not sure mine is offered as a 1 yr or 3 yr bundle
Nice! Yeah both 1 and 3 are available. I usually like 1 but there is a discount for 3. Personally I do not trust any company to do a good job for 3 years in a row, at least not enough to pledge my money.
 
  • Like
Reactions: HarborFront

HarborFront

Level 58
Verified
Content Creator
Oct 9, 2016
4,728
@MacDefender

I just checked with the FG distributor here again and the offer is 1-yr period for US$373.7 (approx conversion). That's expensive.

The other thing is the built-in VPN is not like our consumer VPN because it's an industrial product so the built-in VPN is for incoming use. Unlike consumer VPN where it's use to change our IP address before going out the built-in VPN don't behave that way and I won't be able to enable VPN in my router. I can, however, use a software VPN on my PC/laptop/tablet/phone
 
Last edited:

Lenny_Fox

Level 20
Verified
Oct 1, 2019
996
Hi guys,
For the last month now I have been running the Sophos XG in bridge mode behind a ASUS RT-AC86U.
The setup is bit tricky, the config even more so, but as soon as you get their way of thinking it gets easier.

Protection wise I do not really know, it is not like you can find homepages out there containing malware, exploits etc that easily to test with.
But so far I have seen blocks from both the AiProtection on the ASUS and the ATP and IDS on the XG.

A strange thing happened when I tested a malware pack in the VM the other day, I just did a static scan of a lot of files, no execution, and the XG stopped a lot of connections from going out with its intrusion system.
I think something in that pack must have reacted to the scan, and did some e tempts to call home, scary!
But at least it shows that a having a first good line of defense is important, what ever security solution you have at your endpoints.

/W
Could you post a diagram how you have set it up? Do I understand right that first Network Interface Card is connected to incoming internet and second NIC is for your internal intranet? Does your internal intranet need an additional switch or wireless router to connect devices on your internal intranet?

Thanks in advance
 

MacDefender

Level 14
Verified
Oct 13, 2019
629
@MacDefender

I just checked with the FG distributor here again and the offer is 1-yr period for US$373.7 (approx conversion). That's expensive.

The other thing is the built-in VPN is not like our consumer VPN because it's an industrial product so the built-in VPN is for incoming use. Unlike consumer VPN where it's use to change our IP address before going out the built-in VPN don't behave that way and I won't be able to enable VPN in my router. I can, however, use a software VPN on my PC/laptop/tablet/phone
It's not cheap but it's one of the lowest cost UTM services out there. Meraki MX is about $1000/yr for the same set of features on their 450mbit appliance. IPS, AV, and web filtering requires constant updates (several a day) and you're protecting 20-50 devices behind a firewall.


Your distributor is correct in that the Fortinet box is not a VPN client. Its VPN does two things:
  1. Allow clients to VPN into the Fortinet box to get internal network access (dialup mode)
  2. Connect to other VPN capable firewalls and route to those remote networks (site to site VPN)
The mode of operation you're looking for is being a VPN client and NATting all local traffic through that VPN connection, which is not something Fortinet supports.


Again, price-wise, you really do have to ask yourself if UTM is the right solution for you. I run a few servers at home and have a few dozen IoT devices, and I don't babysit any of them too regularly. I have had Cisco's IPS save my butt when I assumed my Windows Server automatically patched but a glitch caused it to not auto-reboot for a wormable vulnerability! But if you on the other hand just had 10 computers on your network and you can get a $100/yr family pack of Kaspersky on them, that might be a better way forward.

And please don't tempt yourself into thinking that grabbing a few dozen piHole blocklists from Twitter and messing around with open-source free Snort rules is going to be similar to a UTM in performance. A lot of the value-add in these UTMs is the fact that Fortinet has millions of customers and has fine-tuned all their rulesets for the right level of protection vs minimal false alarms. I've been there done that, and after trying that for a few years I happily pay for a professional company to do this work for me :D
 
Last edited:

woodrowbone

Level 10
Verified
Dec 24, 2011
481
Mostly for you Lenny_Fox, but also others.

The beautiful thing with Sophos XG is that it is free for home use.
I use it in bridge mode witch means that it sits behind your router and only filters the traffic going in and out on your network.

Setup XG in Bridge mode

Behind the XG I just run a 24 port switch to feed the house.

I run this on an old Intel i3 cpu with just 4 GB RAM, I do not feel anything lagging except maybe if you download a big exe file for example.
This is to be expected due to the scanning/inspection of the file, you can set how large files you want to scan, and if you like to use both Sophos and Aviras AV, or only one of them to scan the file.
On top of that you can enable some sort of ATP scanning, I am not sure how that work because I did not buy a license for their Sandstorm, I suspect this is some kind of HitmanPro tech witch Sophos did buy a couple of years ago. But it seems these are two different modules (ATP and Sandstorm)
As I mentioned there is an ATP scanning that you can activate, and I did have 2 detection coming from that module, so it works.

When it comes to surfing the webb, streaming or any other use of the webb I do not feel any slowdowns, I only have a 100Mbit connection so I do not know how it would feel on Gbit connection.

When it comes to WiFi I only use a simple router connected behind the XG, but of course you could use an access point if you want to reach your intranet with your wifi stuff.

I also like Untangle who also can be set up in bridge mode: Bridge mode
Untangle is by far more easy to set up and run compared to Sophos XG, security wise I can not comment, as there are no tests in this area that I know of?
This is a area that I would love to see the AV test organisations to start look into.

/W
 

woodrowbone

Level 10
Verified
Dec 24, 2011
481
I just cant help to wonder how long an American-Japanese company (Trend Micro) will sell their tech to a Chinese company? (TP-Link)
With all suspicion directed at Chinese tech for the last couple of years, I would stay away from that in all forms.
Just my personal opinion of course.

/W
 

Lenny_Fox

Level 20
Verified
Oct 1, 2019
996

Well, maybe I shoud replace windows defender with Kaspersky free to balance it out a bit.
 
Top