Firewalls Buyer's Guide and Reviews June 2021

F
Firewalls
Buyer's Guide and Reviews
June 2021
Firewalls
Get a custom version of this report...personalized for you!

Thanks for downloading this IT Central Station report.
Note that this is a generic report based on reviews and opinions from the entire IT
Central Station community. We offer a customized report personalized for you based on:
• Your industry
• Company size
• Which solutions you're already considering
It includes recommendations for you based on what other people like you are researching and
using.
It takes 2-3 minutes to get the report using our shortlist builder wizard. We recommend it!
Get your personalized report here.
2
Firewalls
Contents
Vendor Directory 4
Top Vendors 5-6
Top Solutions by Ranking Factor 7
Focus on Solutions
Fortinet FortiGate 8 - 10
pfSense 11 - 13
Cisco ASA Firewall 14 - 16
Check Point NGFW 17 - 19
Cisco Firepower NGFW Firewall 20 - 22
Sophos XG 23 - 25
Palo Alto Networks NG Firewalls 26 - 28
Check Point CloudGuard Network Security 29 - 31
Kerio Control 32 - 34
Palo Alto Networks VM-Series 35 - 37
Answers From the Community 38 - 40
About This Report and IT Central Station 41
© 2021 IT Central Station

To read more reviews about Firewalls, please visit: https://www.itcentralstation.com/categories/firewalls
3
Firewalls
Vendor Directory
A10 Networks A10 Networks Thunder CFW MetTel MetTel Onsite Managed Firewall
AhnLab AhnLab TrusGuard MetTel MetTel Cloud Managed Firewall
Barracuda Networks Barracuda CloudGen Firewall Microsoft Azure Firewall
Check Point Check Point NGFW NetFortris NetFortris Hosted Firewall
Check Point Check Point CloudGuard Network Security NetFortris NetFortris Threat Analyzer
Cisco Cisco ASA Firewall Netgate pfSense
Cisco Cisco Firepower NGFW Firewall OPNsense OPNsense
Cisco Cisco IOS Security Palo Alto Networks Palo Alto Networks VM-Series
Forcepoint Forcepoint Next Generation Firewall Palo Alto Networks Palo Alto Networks NG Firewalls
Fortinet Fortinet FortiGate Palo Alto Networks Palo Alto Networks K2-Series
Fortinet Fortinet FortiGate-VM Sangfor Sangfor NGAF
Fortinet Fortinet FortiOS ShieldX Networks ShieldX
GajShield GajShield Next Generation Firewall SonicWall SonicWall TZ
GFI Kerio Control SonicWall SonicWall NSa
H3C H3C SecPath Firewalls SonicWall SonicWall NSSP
Hewlett Packard 3Com H3C Firewalls SonicWall SonicWall NSV

Enterprise
Sophos Sophos XG
Hillstone Networks Hillstone E-Series
Trustwave Trustwave Next Generation Firewall
Hillstone Networks Hillstone T-Series
Untangle Untangle NG Firewall
Hillstone Networks Hillstone X-Series Data Center Firewalls
Valtix Valtix
Hillstone Networks Hillstone CloudEdge
VenusTech Venusense NGFW
Huawei Huawei NGFW
WiJungle WiJungle
Juniper Juniper SRX
Zscaler Zscaler Cloud Firewall
Juniper Juniper vSRX
Menlo Security Menlo Security Cloud Firewall

4
Firewalls
Top Firewalls Solutions

Over 508,495 professionals have used IT Central Station research. Here are the top Firewalls vendors based on product reviews, ratings,
and comparisons. All reviews and ratings are from real users, validated by our triple authentication process.
Chart Key
Views Comparisons Reviews Words/Review Average Rating
Number of views Number of times compared Total number of reviews on Average words per review Average rating based on
to another product IT Central Station on IT Central Station reviews
Bar length
The total ranking of a product, represented by the bar length, is based on a weighted aggregate score. The score is calculated as follows:
For each ranking factor of Reviews, Views, and Comparisons, the product with the highest count in each ranking factor gets a maximum 18
points.
Every other product gets assigned points based on its total in proportion to the #1 product in that ranking factor.
For example, if a product has 80% of the number of reviews compared to the product with the most reviews then the product's points for reviews
would be 18 * 80% = 14.4.
Both Rating and Words/Review are awarded on a fixed linear scale.

For Rating, the maximum score is 28 points awarded linearly between 6-10 (e.g. 6 or below=0 points; 7.5=10.5 points; 9.0=21 points; 10=28 points).
For Words/Review, the maximum score is 18 points awarded linearly between 0-900 words (e.g. 600 words = 12 points; 750 words = 15 points;
900 or more words = 18 points).
If a product has fewer than ten reviews, the point contribution for Rating and Words/Review is reduced:
1/3 reduction in points for products with 5-9 reviews, two-thirds reduction for products with fewer than five reviews.
Reviews that are more than 24 months old, as well as those written by resellers, are completely excluded from the ranking algorithm.
All products with 50+ points are designated as a Leader in their category.
1 Fortinet FortiGate
165,280 views 123,151 comparisons 85 reviews 450 words/review 8.5 average rating
2 pfSense
3 Cisco ASA Firewall

5
Firewalls
4 Check Point NGFW
5 Cisco Firepower NGFW Firewall
39,252 views 29,305 comparisons 37 reviews 1,080 words/review 8.4 average rating
6 Sophos XG
7 Palo Alto Networks NG Firewalls
8 Check Point CloudGuard Network
9 Kerio Control
11,801 views 8,285 comparisons 22 reviews 1,812 words/review 8.0 average rating
10 Palo Alto Networks VM-Series

6
Firewalls
Top Solutions by Ranking Factor

Views
VIEWS
1 Fortinet FortiGate 165,280
2 pfSense 88,611
3 Cisco ASA Firewall 65,046
4 Sophos XG 43,977
5 Cisco Firepower NGFW Firewall 39,252
Reviews
REVIEWS
1 Fortinet FortiGate 85
2 Check Point NGFW 77
3 Sophos XG 75
4 Cisco ASA Firewall 73
5 Palo Alto Networks NG Firewalls 59
Words / Review
WORDS /
REVIEW
1 ShieldX 2,022
2 Kerio Control 1,812
3 Cisco Firepower NGFW Firewall 1,080
4 Check Point CloudGuard Network 869
5 SonicWall NSV 788

7
Firewalls
Fortinet FortiGate See 98 reviews >>
Overview
The FortiGate family of NG firewalls provides proven protection with unmatched performance across the network, from internal
segments, to data centers, to cloud environments. FortiGates are available in a large range of sizes and form factors and are key
components of the Fortinet Security Fabric, which enables immediate, intelligent defense against known and new threats
throughout the entire network.
SAMPLE CUSTOMERS
Pittsburgh Steelers, LUSH Cosmetics, NASDAQ, Verizon, Arizona State University, Levi Strauss & Co.
Whitepaper and case studies here
TOP COMPARISONS
Cisco ASA Firewall vs. Fortinet FortiGate … Compared 17% of the time [See comparison]
Sophos UTM vs. Fortinet FortiGate … Compared 12% of the time [See comparison]
Palo Alto Networks WildFire vs. Fortinet FortiGate … Compared 9% of the time [See comparison]
REVIEWERS * VISITORS READING REVIEWS *
TOP INDUSTRIES TOP INDUSTRIES

Comms Service Provider … 36% Comms Service Provider … 14%
Computer Software Company … 20% Computer Software Company … 10%
Government … 5% Financial Services Firm … 8%
Media Company … 4% Manufacturing Company … 6%
COMPANY SIZE COMPANY SIZE

1-200 Employees … 35% 1-200 Employees … 48%
1001+ Employees … 43% 1001+ Employees … 28%
* Data is based on the aggregate profiles of IT Central Station Users reviewing and researching this solution.

8
Firewalls
Fortinet FortiGate Continued from previous page
Top Reviews by Topic
VALUABLE FEATURES See more Valuable Features >>
The ease of setting the solution up is a valuable aspect for us. The most valuable aspect that differentiates it from other solutions is
that the client (the SSL VPN client or the IP sec VPN client, the same clients) is included in the solution. We don't have to pay extra
for the software and the clients. I have had some issues, but no more than others and I don't have to buy an expensive add-on
Spencer license to do it and it's managed and it's updated automatically. That's the key thing, that the client is included and it updates itself
Malmad
so I don't have to... [Full Review]
One of the nice things about FortiGate is that it can be deployed on the cloud or on-premises. You can actually do both. That's the
biggest reason why I stick with this solution as opposed to something like Cisco Meraki. Another nice thing is that I can log directly
into a FortiGate or get to it through their FortiCloud access products. They're pretty reliable and consistent. One of the reasons why
Eric-Smith I started using the product was their single pane of management. I can deploy their line of firewalls in conjunction with their
switching and access poin... [Full Review]
We use the firewall to enforce our company ideologies and principles and policies. The solution has built-in features for web
filtering that are great. It categorizes it nicely for you. The interface itself is nice to work with. It's a lot better than the initial interface
that they used to have around version four. I used to work for FortiGate some time back, and the earlier interfaces were not as good
reviewer126 as these latest ones. I like that once you open it up, you have a dashboard that can give you a holistic overview of what is
6459
happening. You can see,... [Full Review]
Good VPN, both IPSEC and SSL (web-mode, tunnel-mode). An engineer/network administrator has tools to debug VPN issues that
can occur during tunnel setup with other vendors' equipment. SD-WAN feature at no cost. This is really great feature for remote
locations (branch offices) and HQ, application steering between many ISP links becomes a simple task. Steering can be done
Chingiz dynamically by measuring link quality (latency, jitter, packet loss, available bandwidth). Wi-Fi and Switch controller at no cost.
Abdukarimo
v FortiSwitch and FortiAP can become a kind of port ... [Full Review]
ROOM FOR IMPROVEMENT See more Room For Improvement >>
The biggest "gotcha" is that if the client purchases what they call the UTM shared bundle, which has unified threat management on
both, it's not as easy to manage if you have more than one firewall. If I wanted a unified console, I have to pay extra. And that's the
downfall. That's the only needed improvement that I would say for the Fortinet solution, is that they should have it web-based from
Spencer the get-go. You should not have to buy an extra bundle or an extra device. If I have to make an update to a web filter, and I have 12
Malmad
devices, I've got to do... [Full Review]
FortiLink is the interface on the firewall that allows you to extend switch management across all of your switches in the network. The
problem with it is that you can't use multiple interfaces unless you set them up in a lag. Only then you can run them. So, it forces you
to use a core type of switch to propagate that management out to the rest of the switches, and then it is running the case at 200. It
Eric-Smith leaves you with 18 ports on the firewall because it is also a layer-three router that could also be used as a switch, but as soon as you
do that, you... [Full Review]
The commercial side of things can be improved a bit. They have such a good product, and when you disable some features, it has
to be commercialized for you to enjoy those features. Therefore, you are actually buying half a product. You have hardware there,
and yet, your features are not enabled. The primary things, such as the antivirus, web filter, DNS filter, application intrusion, file filter,
reviewer126 and email filter come with the general license. There are other things that you want to also enjoy in this system and you can't. There
6459
are SD-WAN network m... [Full Review]

9
Firewalls
Fortinet FortiGate Continued from previous page
I think there could be more QoS features in GUI. FortiGate has Traffic Shaping feature that is enough in most cases when shaping
egressing packets, but sometimes I just need 802.1p prioritizing (Class of Service) of incoming packets and manual ingress queue
assignment. This is what would be nice to have, but I realize that such a job is more efficiently done by L4 switch standing before
Chingiz firewall. Fortinet has a FortiSwitch that can do it, and it also can be controlled by FortiGate via FortiLink protocol. [Firmware version
Abdukarimo
v FortiOS 6.2 update]: There ... [Full Review]
PRICING, SETUP COST AND LICENSING See more Pricing, Setup Cost And Licensing >>
They have almost all the features embedded in the solution. It's just that some features are not available because you have to pay
for it. There are lots of add-ons available, and you need to pay extra for them, so pricing can add up. [Full Review]
reviewer126
6459
The solution is pretty affordable. It's not overly expensive. It's not like Cisco where you pay an awful lot of money mostly for the
name. There are extra apps you can add to the product, however, those come with an extra price tag as well. That said, it allows
you to do more things and expands its capabilities. I like to use Fortinet due to the fact that with the device you can do so much
reviewer109 more, it's not only web filtering. If you decide to use it for something else, you just pay some money to Fortinet for another package
1898
and you are good to go. It ... [Full Review]
Pricing and licensing is a little bit complicated in FortiGate. They are always on the higher side. This is one issue that we always
raise with the company that they should reduce the price according to Indian market requirements. There are no costs in addition to
the standard licensing fees. [Full Review]
Kshitij
Singhai
When you look at these endpoint security systems and firewalls, these products a few years were way too expensive for a small
business. Now we have enterprise level security in a footprint that is less than $1,000. For offices that have 10-25 computers
needing protection, this is a better solution. [Full Review]
Michael-
Sugg

10
Firewalls
pfSense See 37 reviews >>
Overview
Providing comprehensive network security solutions for the enterprise, large business and SOHO, pfSense solutions bring
together the most advanced technology available to make protecting your network easier than ever before. Our products are built
on the most reliable platforms and are engineered to provide the highest levels of performance, stability and confidence.
SAMPLE CUSTOMERS
Nerds On Site Inc., RKC Development Inc., Expertech, Fisher's Technology, Ncisive, Consulting, CPURX, Vaughn's Computer House Calls,
Imeretech LLC, Digital Crisis, Carolina Digital Phone, Technigogo Technology Services, The Simple Solution, SwiftecITInc, Rocky
Mountain Tech Team, Free Range Geeks, Alaska Computer Geeks, Lark Information Technology, Renaissance Systems Inc., Cutting Edge
Computers, Caretech LLC, GoVanguard, Network Touch Ltd, P.C. Solutions.Net, Vision Voice and Data Systems LLC, Montgomery
Technologies, Techforce, Concero Networks, ASONInc, CPS Electronics and Consulting, Darkwire.net LLC, IT Specialists, MBS-Net Inc.,
VOICE1 LLC, Advantage Networking Inc., Powerhouse Systems, Doxa Multimedia Inc., Pro Computer Service, Virtual IT Services, A&J
Computers Inc., Envision IT LLC, CommunicaONE Inc., Bone Computer Inc., Amax Engineering Corporation, QPG Ltd. Co., IT 101 Inc.,
Perfect Cloud Solutions, Applied Technology Group Inc., The Digital Sun Group LLC, Firespring
TOP COMPARISONS
Sophos UTM vs. pfSense … Compared 22% of the time [See comparison]
OPNsense vs. pfSense … Compared 17% of the time [See comparison]
Fortinet FortiGate vs. pfSense … Compared 17% of the time [See comparison]

Computer Software Company … 15% University … 11%
Government … 5% Construction Company … 8%
Media Company … 5% Marketing Services Firm … 8%


11
Firewalls
pfSense Continued from previous page
The classic features such as content inspection, content protection, and the application-level firewall, are the most important. This is
a feature-rich product. The documentation is good. [Full Review]
Bojan
Oremuz
The firewall aspect of the solution is very valuable to us. We had so many limitations with the Dre tech, however, it's the firewall and
the port forwarding that is the most interesting due to the fact it allows us to restrict IP addresses and move things from different
ports and things like that. I'm the expert when it comes to Linux systems, however, with the pfSense, due to the web interface, the
Tony rest of the staff can actually make changes to it as required without me worrying about whether they've opened up ports incorrectly
Williams
or not. The ease of ... [Full Review]
It's quite an awesome product with so many good things packed into it. I am happy with the EPLS, the radius, and I am happy with
the captive portal. All in all, it's a good product. And considering that I get it for paying nothing, it's really worth the time invested in
it. [Full Review]
Leon Pinto
The flexibility of adding new kinds of services without spending any money can't be beaten. We can compare services like IP
blocking, blacklisting and DNS blocking, content filtering, and even deep packet inspection with other larger enterprise firewalls.
[Full Review]
Malik Yusuf
Ease of use is a problem for a user who is unfamiliar with this product because, in the interface, everything has to be set manually. It
would be more user-friendly if things were set automatically. The drop in performance can be drastic when you use more advanced
techniques. There is some trade-off between having a certain level of security and maintaining acceptable performance. One of the
Bojan things that are usually outside of the UTM, or system on the gateway, is the SIEM. It is an advanced system for managing the
Oremuz
possibility of threats. It is not n... [Full Review]
We are at the moment looking to use it as a proxy service so that we can limit what websites people go and view and that sort of
thing. That's an area I've struggled with a little bit at the moment and it could be a bit easier to set up. The only other thing I might
look at would be some sort of antivirus type of aspect to check traffic coming in and out of the network. If they offered unified threat
Tony management, that would be an ideal outcome for us. I have been looking at it as a sort of an appliance, rather than installing it on an
Williams
actual PC. Howe... [Full Review]
As I said, the product is fantastic. It could use a little bit of improvement in the reporting — the reporting is virtually non-existent.
Something like a reporting module would be a benefit. Otherwise, in terms of the performance, at least for my organization, I don't
see much of a problem. By this, I mean that we cant generate reports of trends etc that could be exported out of PFSense in terms
Leon Pinto of a PDF etc to see how the firewall is functioning... Though I must say that the work around for this could be to use the pfsense
zabbix plugin and integr... [Full Review]

12
Firewalls
pfSense Continued from previous page
There's always room for improvement. In general terms, for someone who is not familiar with the product I think ease of use could
be improved. When you're connecting, the interface is very difficult for an inexperienced user in the sense of setting everything up,
as it all has to be set manually. I've also found that the more features you use influences performance and the drop can be drastic
Bojan when you use advanced features. I want to achieve a certain level of security and at the same time maintain good performance. The
Oremuz
solution is feature rich enou... [Full Review]
The price of the licensing depends on the size of the deployment. pfSense is open-source, but the support is something that the
customer pays for. We charge them for the first line of support and if they want, they can purchase the second line of support.
Typically, they take the first-line option. The term of licensing also depends on the contract. The firewall doesn't always have a
Bojan contract but rather, there is a contract in place for the network, which includes UTM. In addition to the licensing fees, there are costs
Oremuz
for hardware, installation, an... [Full Review]
We use the open-source version, which is free to use. I say we've always used the community edition as I've never felt a need for
support or anything like that and our clients have never insisted on it. I know where to go to look for answers if we run into
problems, so paying for that extra support isn't something we need to worry about. [Full Review]
Tony
Williams
Well, its opensource... So for the tech-minded, its not so difficult but yes, the configuration is understandable for those with good
prior firewall knowledge... If you can get it working, its great... But yes, thats the first part... Get it working... Oncw working, all
licenses etc are not a problem as it is opensource... So no restrictions there... so far... [Full Review]
Leon Pinto
Licensing costs depend on company size. pfSense is an open source solution, so there's a charge for support. We offer a first line of
support and a second line if required. Payment depends on the contract, because usually it's only covers the firewall. We offer a
contract for the network which includes UTM. There's a hardware cost for HP servers and, again, depending on the size of the
Bojan company, installation cost is about 500-800 Euro. There's an annual maintenance fee included in the networking agreement. [Full
Oremuz
Review]

13
Firewalls
Cisco ASA Firewall See 80 reviews >>
Overview
Cisco ASA firewalls deliver enterprise-class firewall functionality with highly scalable and flexible VPN capabilities to meet diverse
needs, from small/branch offices to high performance data centers and service providers. Available in a wide range of models,
Cisco ASA can be deployed as a physical or virtual appliance. Flexible VPN capabilities include support for remote access, site-to-
site, and clientless VPN. Also, select appliances support clustering for increased performance, VPN load balancing to optimize
available resources, advanced high availability configurations, and more.
Cisco ASAv is the virtualized version of the Cisco ASA firewall. Widely deployed in leading private and public clouds, Cisco ASAv
is ideal for remote worker... [Read More]
SAMPLE CUSTOMERS
There are more than one million Adaptive Security Appliances deployed globally. Top customers include First American Financial Corp.,
Genzyme, Frankfurt Airport, Hansgrohe SE, Rio Olympics, The French Laundry, Rackspace, and City of Tomorrow.
TOP COMPARISONS
Fortinet FortiGate vs. Cisco ASA Firewall … Compared 33% of the time [See comparison]
Palo Alto Networks WildFire vs. Cisco ASA Firewall … Compared 12% of the time [See comparison]
Meraki MX vs. Cisco ASA Firewall … Compared 8% of the time [See comparison]

Comms Service Provider … 35% Financial Services Firm … 16%
Computer Software Company … 21% Comms Service Provider … 14%
Government … 5% Manufacturing Company … 11%
Media Company … 4% University … 6%


14
Firewalls
Cisco ASA Firewall Continued from previous page
For us, the most valuable features are the IPX and the Sourcefire Defense Center module. That gives us visibility into the traffic
coming in and going out and gives us the heads-up if there is a potential outbreak or potential malicious user who is trying to
access the site. It also helps us see traffic generated by an end device trying to reach out to the world. Sourcefire is coupled with
Mohammad Talos and that provides us good insight. It gives us a pretty good heads-up. Talos is tied to the Sourcefire Defense Center.
Rauf
Sourcefire Defense Center, which is a... [Full Review]
All the features are very valuable. Among them is the integration for remote users, with AnyConnect, to the infrastructure. All the
security through that is wonderful and it's very easy. You connect and you are inside your company network via VPN. Everything is
encrypted and it's a very good solution. This is a wonderful feature. You need to make sure your machine has the profile requested
reviewer135 by the company. That means having the patches updated. Optionally, you should have the antivirus updated, but you can decide
7989
whatever you would like in order to e... [Full Review]
The majority of what I use is the policy ruleset. We have another company that deals with the IPS and the IDS. That's helpful, but I
can't necessarily speak to that because that's not the majority of what I do. The majority of what I do is create rules and work with
the customers to make sure that things are getting in and out of the environment. I work with our e-commerce team to make sure
JoelStech that new servers that are spun up have the appropriate access to other DMZ servers. I also make sure that they have access to the
internet. I make sure they have... [Full Review]
If we look at the Cisco ASA without Firepower, then one of the most valuable features is the URL filtering. Also, it's easy to integrate
ASA with other Cisco security products. When you understand the technology, it's not a big deal. It's very simple. When it comes to
threat visibility, the ASA is good. The ASA denies threats by using common ACLs. It can detect some DoS attacks and we can
Othniel monitor suspicious ICMP packets using the ASA. It helps you know when an attack is detected. Cisco Talos is good. It provides
Atseh
threat intelligence. It updates all t... [Full Review]
We've seen, for a while, that the upcoming revisions are not supported on some of 5506 firewalls, which had some impact on our
environment as some of our remote sites, with a handful of users, have them. We were also not too thrilled when Cisco announced
that in the upcoming new-gen ASA, iOS was not going to be supported, or if you install them, they will not be able to be managed
Mohammad through the Sourcefire. However, it seems like Cisco is moving away from the ASA iOS to the Sourcefire FireSIGHT firmware for the
Rauf
ASA. We haven't had a chance to test it o... [Full Review]
My concern in the 21st century, with ASA, is the front-end. I think Cisco missed the mark with all the configuration steps. They are a
pain and, when doing them, it looks as if we're using a very old technology — yet the technology itself is not old, it's very good. But
the front-end configuration is very tough. They probably still make a good profit even with the front-end being difficult, but it's not
reviewer135 easy. It's not user-friendly. All the configuration procedures are not user-friendly. Also, they launched the 1000 series for SMBs.
7989
They have all th... [Full Review]
One of the things that we got out of the Check Point, which we're finally getting out of the ASA, is being able to analyze the hit
count, to see whether a rule is actually used or not. That is going to be incredibly beneficial. That still has ways to go, as far as being
able to look into things, security-wise, and see whether or not rules or objects are being hit. It could help in clean-up, and that, in
JoelStech itself, would help with security. The FTD or the FirePOWER has a little way to go on that, but they're doing well implementing things
that not only ... [Full Review]

15
Firewalls
Cisco ASA Firewall Continued from previous page
One area where the ASA could be improved is that it doesn't have AMP. When you get an ASA with the Firepower model, ASA with
FTD, then you have advanced malware protection. Right now, threats and attacks are becoming more and more intense, and I don't
think that the ASA is enough. I think this is why they created FTD. Also, Cisco is not so easy to configure. [Full Review]
Othniel
Atseh
Pricing varies on the model and the features we are using. It could be anywhere from $600 to $1000 to up to $7,000 per year,
depending on what model and what feature sets are available to us. The only additional cost is Smart NET. That also depends on
whether you're doing gold or silver, 24/7 or 8/5, etc. [Full Review]
Mohammad
Rauf
When it comes to security, pricing should not be an issue, but we know, of course, that it is. Why is an Aston Martin or a Rolls Royce
very expensive? It's expensive because the support is there at all times. Replacement parts are available at all times. They offer a lot
of opportunities and customer services that others don't come close to offering. Cisco is expensive but it's a highly rated company.
reviewer135 It's one of the top-three security companies worldwide. [Full Review]
7989
We used Check Point and the two are comparable. Cost was really what put us onto the ASAs. They both do what it is we need
them to do. At Orvis, what we need to do is very basic. But the price tag for Check Point was exorbitantly more than what it is for the
ASA solution. We pay Cisco for maintenance on a yearly basis. There are no additional fees that I'm aware of. [Full Review]
JoelStech
When it comes to Cisco, the price of everything is higher. Cisco firewalls are expensive, but we get support from Cisco, and that
support is very active. When I hit an issue when I was configuring an FTD, as soon as I raised a ticket the guy called me and
supported me. Cisco is very proactive. I had the same kind of issue when I was configuring a FortiGate, but those guys took two or
Othniel three days to call me. I fixed the issue before they even called me. [Full Review]
Atseh

16
Firewalls
Check Point NGFW See 83 reviews >>
Overview
Offered via the Check Point Infinity architecture, Check Point’s NGFW includes 23 Firewall models optimized for running all threat
prevention technologies simultaneously, including full SSL traffic inspection, without compromising on security or performance.
Learn More about Next Generation Firewall and What is Firewall?
SAMPLE CUSTOMERS
Control Southern, Optimal Media
TOP COMPARISONS
Fortinet FortiGate vs. Check Point NGFW … Compared 59% of the time [See comparison]
Azure Firewall vs. Check Point NGFW … Compared 15% of the time [See comparison]
Meraki MX vs. Check Point NGFW … Compared 5% of the time [See comparison]

Financial Services Firm … 6% Insurance Company … 7%
Government … 5% Retailer … 7%


17
Firewalls
Check Point NGFW Continued from previous page
Among the valuable features are antivirus, URL inspection, and anti-malware protection. These are all advanced features. One of
the great advantages of having Check Point as a firewall is that all of these are software blades, so you can buy a license or
subscription and enable them and get the security up and running. With other firewalls, it's a completely different agenda, meaning
Pushkin some of them require hardware modules, and some of them have a complex way of adding the licensing, etc. Check Point definitely
Sawhney
has a great architecture, where you can ... [Full Review]
The feature I like the most is their central management, the Smart controller which you can use to manage all the firewalls from one
location. You can get practically all information — but not all the information, because not everything has been migrated from the
previous SmartDashboard version into the SmartConsole. Being able to access almost everything in one location — manage all your
Steve gateways and get all your logs — for me, is the best feature to work with. As for the security features, that depends a bit on what
Vandegaer
you're doing with it, and what ... [Full Review]
Packet inspections have been a strong point. Our Identity Collectors have also been helpful. In many ways, Check Point has been a
step up from our SonicWalls that we had in-house before that. There's a lot of additional flexibility that we didn't have before. We
saw a noticeable performance hit using SonicWalls. Whether it's because we've provisioned the Check Point gateways correctly
BrianFischer from a hardware standpoint or whether it's the software that is much more efficient (or both), we do packet inspection with very little
impact to hardware resources an... [Full Review]
The most valuable feature is definitely the logs. The way you can search the logs and have the granularity from the filter. It's just
very nice. I love the interface of R.80.30. The R.80 interface is very nicely thought out with everything in one place, which makes
Check Point easier to use. When I started in 2014, I was just confused with how many interfaces I had to go on to find things. While
reviewer142 there are quite a few interfaces still in the older smart dashboard versions, most things are consolidated now. [Full Review]
5090
The area it needs improvement is the SandBlast Agent. It receives a file, or if it detects a Zero-day attack, it takes the file and
analyzes it, either on-premise or in the Check Point Cloud, and then it reports back whether the file is secure or non-secure, or is
unknown. That particular area definitely needs a bit more improvement, because there is a delay. That's one of the main complaints
Pushkin for most of our customers. Or if it is quick, then it's very complex. For example, if they have received a file which is "unknown" or has
Sawhney
Zero-day attack malwa... [Full Review]
The MTA (Mail Transfer Agent) may not be the greatest, and the full proxy that you can activate instead of just doing application
control is also not the greatest, but they don't even recommend using those. They're just available if you want. But the biggest
improvement they could make is having one software to install on all three levels of their products, so that the SMBs, the normal
Steve models, and the chassis would all run the same software. Now, while there is central management, everything that has to be
Vandegaer
configured on the gateway itself works diff... [Full Review]
Because there's quite a bit of flexibility in Check Point, improved best practices would be helpful. There might be six ways to do
something and we're looking for one recommended way, one best practice, or maybe even a couple of best practices. A lot of times
we're trying to figure out what we should do and how we should handle a particular problem or scenario. Having a better roadmap
BrianFischer would help us as we navigate the options. The VPN setup could be simplified. We had to engage professional services for that.
That's not a problem, but compared to oth... [Full Review]

18
Firewalls
Check Point NGFW Continued from previous page
The naming in the inline layers and ordered layers needs improvement. It makes things very complicated. I've seen quite a lot of
people saying that. For audit policies, it is okay since it's very simple to see. However, this area is for very large organizations, which
have too many policies, and they need to share all these policies. For small to medium-sized businesses, they don't need it. Even if
reviewer142 somebody has 500 rules, if they try to use it, it can be very confusing. In R77.30, the only thing which I hated was having to go into
5090
each day's log fil... [Full Review]
It can be expensive, but it's value for money. What you pay for is what you get. You can go down in price and buy some cheap
firewalls, but you're not going to get great support and you're not going to get the level of protection you need. With Check Point
you get all of that. [Full Review]
Pushkin
Sawhney
Make sure you get the correct license. For instance, I did an audit for one of our clients recently and I saw that they always were
buying the most expensive license and not using the features that were included in it. That's one thing to look at: If you're not going
to use some features, don't buy the license related to those and go for a cheaper license. Also, negotiate. There's always room for
Steve discounts. You get licensing bundles, so depending on which features you want to activate, your license is going to be more
Vandegaer
expensive. Some things, like Th... [Full Review]
Strongly consider augmenting standard support with Check Point's premium option or by purchasing ATAM/professional services
time blocks, especially during deployment. Standard support is decent, though occasionally frustrating from a turnaround
perspective. While we sometimes wait a while for resolution on some cases, the information we receive is usually quality; that's
BrianFischer been our experience. [Full Review]
There are three types of licensing: Threat Prevention, NGTP, and Next Generation Threat Extraction. Before, it used to be you would
just enable the license of whatever blade you wanted to buy. Nowadays, Threat Prevention would be sufficient for most clients, so I
would think people would go for the NGTP, license which includes all the blades. [Full Review]
reviewer142
5090

19
Firewalls
Cisco Firepower NGFW Firewall See 38 reviews >>
Overview
Cisco NGFW firewalls deliver advanced threat defense capabilities to meet diverse needs, fromsmall/branch offices to high
performance data centers and service providers. Available in a widerange of models, Cisco NGFW can be deployed as a physical
or virtual appliance. Advanced threatdefense capabilities include Next-generation IPS (NGIPS), Security Intelligence (SI),
AdvancedMalware Protection (AMP), URL filtering, Application Visibility and Control (AVC), and flexible VPNfeatures. Inspect
encrypted traffic and enjoy automated risk ranking and impact flags to reduce eventvolume so you can quickly prioritize threats.
Cisco NGFW firewalls are also available with clusteringfor increased performance, high availability configurations, and more.C...
[Read More]
SAMPLE CUSTOMERS
Rackspace, The French Laundry, Downer Group, Lewisville School District, Shawnee Mission School District, Lower Austria Firefighters
Administration, Oxford Hospital, SugarCreek, Westfield
TOP COMPARISONS
Fortinet FortiGate vs. Cisco Firepower NGFW Firewall … Compared 24% of the time [See comparison]
Cisco ASA Firewall vs. Cisco Firepower NGFW Firewall … Compared 22% of the time [See comparison]
Palo Alto Networks WildFire vs. Cisco Firepower NGFW Firewall … Compared 15% of the time [See comparison]

Computer Software Company … 20% Financial Services Firm … 19%
Government … 6% Government … 10%
Educational Organization … 4% Manufacturing Company … 10%


20
Firewalls
Cisco Firepower NGFW Firewall Continued from previous page
With the FMC and the FirePOWERs, the ability to quickly replace a piece of hardware without having to have a network outage is
useful. Also, the ability to replace a piece of equipment and deploy the config that the previous piece of equipment had is pretty
useful. The administration is a little easier on the FirePOWER appliances because we're not using two separate products. For
reviewer1217 example, in the ASAs with FirePOWER Services, we were using the FMC to manage the FirePOWER Services, but we were still
634
using ASDM for the traditional Layer 2 and Layer 3 r... [Full Review]
The most valuable feature is the Next-Generation Intrusion Prevention System. For customers who don't have a SIEM platform,
Firepower Management Center offers some SIEM-like functionality that clearly categorizes intrusion prevention alerts. So, they are
rated with flags, from zero to four. If I see a level 1 flag, then this means that the attempted intrusion, not only relates to a real
Matt Back vulnerability, but we likely have a system in our environment somewhere that could be exploited by that vulnerability. In that sense,
it helps us quickly target whic... [Full Review]
We get the Security Intelligence Feeds refreshed every hour from Talos, which from my understanding is that they're the largest
intelligence Security Intelligence Group outside of the government. My experience with Talos has been, they're pretty on top of
things. Another driving factor towards Cisco: We get feeds every hour, automatically refreshed, and updated into the firewall. If I had
reviewer151 to rely on one security intelligence, which I wouldn't, but if I had to, I'm sure it would be Talos. The fact that it gets hourly updates
2729
from Talos gives me some ... [Full Review]
The most valuable features of Cisco firewalls are the IPS and IDS items. We find them very helpful. Those are the biggest things
because we have some odd, custom-made products in our environment. What we've found through the IPS and IDS is that their
vulnerability engines have caught things that are near-Zero-day items, inside of our network. Those items are capable being
JoshuaThum exploited although they were not actually being exploited. Being able to see what those exploits are, the potential for vulnerabilities
s
and exploits, is critical for us. [Full Review]
Regarding the solution's ability to provide visibility into threats, I'm not as positive about that one. We had an event recently where
we had inbound traffic for SIP and we experienced an attack against our SIP endpoint, such that they were able to successfully
make calls out. There is no NAT for that. So we opened a case with the vendor asking how this was possible? They had to get
reviewer1217 several people on the line to explain to us that there was an invisible, hidden NAT and that is how that traffic was getting in, and that
634
this was by design. That was r... [Full Review]
FlexConfig is there as a bridge for features that are not yet natively integrated into Firepower. It is a way of allowing you to be able
to configure things that wouldn't otherwise be possible until the development team can add them into Firepower's native capability.
There is still some work that needs to be done around FlexConfig. There are still quite a few complex things, like policy-based
Matt Back routing, that have to be done in FlexConfig, and it doesn't always work perfectly. Sometimes, there are some glitches. It is
recommended that you configure Fl... [Full Review]
It would be great if some of the load times were faster. My general sense is that it's probably related to them taking a couple of
different technologies and marrying them together. We are using virtual, so the way that I handled that was to throw more RAM in it,
which these days, is pretty cheap. I could see some improvement with the speed of deploying policies out, although it's not terrible
reviewer151 by any means. One thing about Cisco is whatever they're doing, it keeps getting better. The speed of deploying policies could be
2729
improved, although it is not ... [Full Review]

21
Firewalls
Cisco Firepower NGFW Firewall Continued from previous page
Cisco firewalls provide us with some application visibility and control but that's one of those things that are involved in the
continuous evolution of the next-generation firewalls. We have pretty good visibility into our applications. The issue that we run into
is when it comes to some of the custom apps and unusual apps that we have. It doesn't give us quite the visibility that we're looking
JoshuaThum for, but we have other products then that fill that gap. There would also be a little bit room for improvement on Cisco's automated
s
policy application and en... [Full Review]
I like the Smart Licensing, because it is more dynamic and easier to keep track of where you are at. If we have a high availability
firewall pair and they are deployed in active/standby rather than active/active, I would expect that we would only pay for one set of
licenses because you are using only one firewall at any one time. The other is there just for resiliency. The licensing, from a
Matt Back Firepower perspective, still requires you to have two licenses, even if the firewalls are in active/standby, which means that you pay
for the two licenses, even ... [Full Review]
Cisco is not for a small mom-and-pop shop because of the cost, but if you're in a regulated industry where a breach could cost you
a million dollars, it's a bargain. That's the way I look at it. [Full Review]
reviewer151
2729
Our subscription costs, just for the firewalls, is between $400,000 and $500,000 a year. In addition, there is Smart Net, but the
subscription base is the most substantial. In an environment like ours where you're only looking at a little over 1,000 users, when
you start figuring out it all, it's basically $400 a user per year to license our Cisco firewalls. Cisco is very good. From everything I've
JoshuaThum seen, I truly believe that they lead the industry in all of this, but you do pay for it. [Full Review]
s
We're going to get to a point, not this year and not the coming year, probably going into 2021, where we're going to want to replace
the ASA appliances with either virtuals or actual physicals. But the Firepower series of appliances is not cheap. I just got a quote
recently for six firewalls that was in the range of over half-a-million dollars. That's what could push us to look to other vendors, if the
Dave price tag is just so up there. I'm using these words "fictitiously," but if it's going to be outlandish, as a customer, we would have to do
Cooper
our due d... [Full Review]

22
Firewalls
Sophos XG See 90 reviews >>
Overview
Sophos XG Firewall is next gen firewall that is optimized for today’s business, delivering all the protection and insights you need in
a single, powerful appliance that’s easy to manage.
SAMPLE CUSTOMERS
TOP COMPARISONS
Fortinet FortiGate vs. Sophos XG … Compared 19% of the time [See comparison]
Sophos UTM vs. Sophos XG … Compared 16% of the time [See comparison]
pfSense vs. Sophos XG … Compared 12% of the time [See comparison]

Computer Software Company … 18% Manufacturing Company … 13%
Media Company … 5% Comms Service Provider … 9%
Government … 5% Healthcare Company … 7%


23
Firewalls
Sophos XG Continued from previous page
The real-time control on offer is excellent. We really appreciate that you can segment and quarantine certain sections of your
system without having to shut down the entire operation. The product has artificial intelligence that has the capability to quickly
identify which could be the potential risk mainly for intrusions like ransomware or a new kind of typology of attacks that are in place
Marco- right now. The idea is to mainly prevent the condition and not to manage the situation, as, if that happens, in many ways, it's already
VIVALDELLI
too late. It's to identi... [Full Review]
The web application firewall or WAF is very useful. Web application firewalls help keep your servers safe from hackers by scanning
activity and identifying probes and attacks. Using the Web Application Firewall (WAF), also known as reverse proxy, Sophos UTM
lets you protect your webservers from attacks and malicious behavior like cross-site scripting (XSS), SQL injection, directory
Alexandre traversal, and other potent attacks against your servers. You can define external addresses (virtual webservers) which should be
RASTELLO
translated into the "real" machines in pl... [Full Review]
The solution is very easy to use. Of course, we have the skills, however, it's very easy for us to deploy the solution. That's one of the
valuable features. They have a communication between the endpoint and the firewall which is very, very useful for security
purposes. Pricing is now pretty good. They changed the pricing structure a few months ago. The initial setup is pretty easy. [Full
Manuel Review]
Gellida
The SSL VPNs are the most valuable feature for me. I have a lot of systems out of the head office that need to connect to the local
networks, and they all connect via the Sophos VPN client. [Full Review]
Olufemi
Adalemo
There is no specific features request right now really. I see that all the features that Sophos is implementing and is proposing on the
market follow exactly what the market is asking. It's difficult to identify something that is missing compared with what the market can
ask as one of the most important things that Sophos does is have the capability to anticipate in a certain way what the market
Marco- expects. As a leader on the market, they tend to have the solution just before the market is asking them for it. The solution could
VIVALDELLI
offer a bit more integra... [Full Review]
Their support is fairly good, and they come back to me. I've had an issue once or twice where I couldn't understand what the
support person was saying because those calls were probably routed to India. They were a bit difficult to understand, but it is
generally not an issue. [Full Review]
Chris
Booyens
I think Sophos XG can improve some annex features. Like in DHCP, we can't make IP reservations in the range. We must reserve
out of the range, which is not good. It will not be the same as the DHCP function in a Windows Server. We can't make an IP
reservation in the range of the DHCP in the Sophos. Better in the next release? I hope... Sophos can also improve the debugging of
Alexandre the WAF function and provide a better resolution in the log, in the attached WEB log. The initial error doesn't appear. You must tail
RASTELLO
the console log to find the source pattern... [Full Review]

24
Firewalls
Sophos XG Continued from previous page
The integration could be a bit better. They need to allow their solution to integrate with other products and not just other Sophos
solutions. Sophos has a feature that in my opinion is very limited. They don't have enough VPNs on their models. They have the XG
750, which is a sizeable appliance. On those models, they used to have not enough VPNs. They always were short on that area.
Manuel Pricing used to be very bad, however, they've adjusted their strategy recently. The product needs to improve its marketing in
Gellida
Mexico. It's not a well-recognized product... [Full Review]
It comes at a fair price as compared to some of the other products out there. Its price is in the middle. It is not the cheapest, and it is
also not as expensive as Juniper, Check Point, and definitely Cisco. Nowadays, everybody is very cost-sensitive, and people don't
want to spend unnecessary money, but even before that, it was a fairly priced product. You've got your choice of what license you
Chris want. There are basically two types of licenses, and it depends on what you need to do, and everything is included in that license.
Booyens
There is no cost for VP... [Full Review]
Sophos XG isn't expensive compared to Check Point. Sure, Check Point is the Rolls-Royce of firewalls: It's great, it's fun, technically
good tunned, but it's very expensive. But the specs and technical side of Sophos XG are close to Check Point, and the price is
lower. It's better for our customers. I can do the same complex configurations with Sophos XG that I used to do on Check Point
Alexandre firewalls. [Full Review]
RASTELLO
The license includes most of the features that are necessary, but the basis of the firewall does not include everything, which helps
us to continue to sell. When comparing with Palo Alto and Cisco, Sophos is cheaper. [Full Review]
Israel
Caravantes
We pay on a yearly basis. We have Sophos XG, but we also have Intercept X for our endpoint and recently we just deployed
Intercept X for the servers. I've not done a calculation of the costs of all three to know what my yearly maintenance costs would be.
[Full Review]
Tunji Gbola

25
Firewalls
Palo Alto Networks NG Firewalls See 69 reviews >>
Overview
Palo Alto Networks' next-generation firewalls secure your business with a prevention-focused architecture and integrated
innovations that are easy to deploy and use. Now, you can accelerate growth and eliminate risks at the same time.
SAMPLE CUSTOMERS
SkiStar AB, Ada County, Global IT Services PSF, Southern Cross Hospitals, Verge Health, University of Portsmouth, Austrian Airlines, The
Heinz Endowments
TOP COMPARISONS
Fortinet FortiGate vs. Palo Alto Networks NG Firewalls … Compared 24% of the time [See comparison]
Sophos XG vs. Palo Alto Networks NG Firewalls … Compared 14% of the time [See comparison]
Azure Firewall vs. Palo Alto Networks NG Firewalls … Compared 13% of the time [See comparison]

Government … 5% Financial Services Firm … 13%
Energy/Utilities Company … 5% Healthcare Company … 8%


26
Firewalls
Palo Alto Networks NG Firewalls Continued from previous page
The product stability and level of security are second to none in the industry. We value the security of our client's infrastructure so
these features are valuable to us. An example of a very valuable feature behind Palo Alto is the application-aware identifiers that
help the firewall know what its users are trying to do. It can block specific activities instead of just blocking categories. For example,
reviewer123 you can block an application, or all unknown applications. On one occasion, I was alerted by Palo Alto that something unusual was
2628
happening through ... [Full Review]
From my experience, comparing it to other products, the granularity you can have in the application is very good. The application
detection is excellent. It's certainly one of the best. The engine detector application is usually one of the best compared to any
other firewall on the market, in my opinion. With it, I can do a lot of rules based on the application. If you have multiple internet links,
Georges you can have an application export from one link, and an application wire from another link. You can have security on the
Samaha
application. The security, for ... [Full Review]
The solution allows us to set parameters on where our users can go. We can block certain sites or ads if we want to. The firewall
capabilities are very good. [Full Review]
Mark
Gleghorn
All of the features are good. The new release of the new basic platform provides you with a huge number of features, such as policy
review, DNS security, Machine learning, Network traffic profiling, Bare metal analysis [Full Review]
Mahmoud
Salaheldin
Palo Alto needs to adjust their pricing a little bit. If they would work on their pricing to make it more cost-effective and bring it in line
with their high-end competition, it would be extremely disruptive to the industry. They rank among the best firewall solutions, but
because of pricing — even if it is deserved — they cut themselves out of consideration for some companies based on that alone.
reviewer123 [Full Review]
2628
The solution would benefit from having a dashboard. From a normal IPS after attack, routine attack and threat detection attack, in
other words, the standard IPS detection attack, I don't see Palo Alto as very good compared to others. The standard network IPS
functionality could be better. It's there in solutions like McAfee or Tipping Point, however, I don't see it here in this solution. [Full
Georges Review]
Samaha
I think they need to have a proper hardware version for a smaller enterprise. We had to go to a very high-end version which is very
expensive. If we chose the lower-end version, it would not meet our goals. A middle-end is missing in its portfolio. For example,
there's the PA820 and the PA220, but there's nothing between. So they are really missing some kind of small-size or medium-size
Jonny Su usage. Right now, you have to choose either a big one or you have a very small one, which is not really good. In the next release, it
would be helpful if there was s... [Full Review]

27
Firewalls
Palo Alto Networks NG Firewalls Continued from previous page
We're working with the entry-level appliances, so I don't know what the higher-end ones are like, however, on the entry-level
models I would say commit speeds need to be improved. The appliances I'm working on are relatively old now. We're talking five-
year old hardware. That slow commit speed might be addressed with just the newer hardware. However, even though it is slow, the
Mark speed at which they do their job is very acceptable. The throughput even from a five-year-old appliance shocks me sometimes.
Gleghorn
Currently, if I make changes on the firewall and ... [Full Review]
Palo Alto is a little expensive compared to every other solution, but you get what you pay for. The question I have been asking
customers since I became a solutions architect is what the best in security is worth. The problem with people seeking security
solutions is thinking that all solutions are the same, thinking the newest technology solutions are best and thinking cost-first. A
reviewer123 better way to think about it would be how expensive a break-in is. If I am shopping around for a firewall solution and I see I have to
2628
pay a lot per year for Palo Alto ... [Full Review]
In terms of pricing, every model has a license. For example a small model, the license around 1,000 USD. The next one around
2,000 USD. The next range is 11,000 USD to 13,000 USD. It's expensive compared to PaloAlto competitors. [Full Review]
Mahmoud
Salaheldin
We find the cost of the solution to be very high. It's quite expensive, and one of the most expensive on the market. The pricing is
related to the complexity of the environment. The more complex the company's requirements, the more it will cost. [Full Review]
reviewer100
1214
Palo Alto is an expensive solution, we currently have a three year contract. I'm not sure what our terms are. People always want
cheaper, nobody wants to pay more. In our region, I think if Palo Alto was cheaper, more companies would buy the solution. [Full
Review]
reviewer1148
964

28
Firewalls
Check Point CloudGuard Network Security See 30 reviews >>
Overview
Check Point CloudGuard provides unified cloud native security for all your assets and workloads, giving you the confidence to
automate security, prevent threats, and manage posture – everywhere – across your multi-cloud environment.
SAMPLE CUSTOMERS
Physicians Choice Laboratory Services, Helvetica Insurance
TOP COMPARISONS
Fortinet FortiGate vs. Check Point CloudGuard Network Security … Compared 24% of the time [See comparison]
Cisco ASA Firewall vs. Check Point CloudGuard Network Security … Compared 17% of the time [See comparison]
Palo Alto Networks WildFire vs. Check Point CloudGuard Network Security … Compared 16% of the time [See comparison]

Computer Software Company … 25% Government … 14%
Government … 4% Energy/Utilities Company … 10%
Energy/Utilities Company … 4% Computer Software Company … 10%


29
Firewalls
Check Point CloudGuard Network Security Continued from previous page
It's really the whole suite that is valuable. But within that, the Identity Awareness is good because you can build your policies around
each user. You can say what each user, or group of users, like HR, for example, can do. Also, the visibility, the one-pane-of-glass
which allows me to see all of my edge protection through one window and one log, is great. Monitoring everything through that one
Alex pane of glass is extremely valuable. Their IPS stuff is just fine. It updates the signatures regularly and it does a lot of that stuff
Tremblay
automatically in the ... [Full Review]
The Auto Scaling functionality is the most valuable feature. Our cloud environments are growing to the point where we need to be
able to expand and contract to the size of the environment at will. They pull you to the cloud. With the static environment that we
currently have stood up, it works well. However, it would be more efficient having the Auto Scaling even bigger. We are in the
reviewer145 middle of that now, but I can already tell you that will be the most impressive thing that we're doing. CloudGuard's block rate,
9770
malware prevention rate, and exploit r... [Full Review]
What's most valuable to me is that it's a contiguous solution that aligns well with the components that we've relied on and trusted
from a traditional hardware, firewall, and unified threat management system. My engineers and analysts don't have to learn another
platform. We have already entrusted our security controls to Check Point for perimeter and physical security, and now we can do so
M Poczobut at the virtual layer as well, which is key to us. It really augments their current stack of capabilities. It all aligns well under their
umbrella of their Infini... [Full Review]
The features of the solution which I have found most valuable are its flexibility and agility. It's a fully scalable solution, from our
perspective. We can define scaling groups and, based on the load, it will create new instances. It's truly a product which is oriented
toward the cloud mindset, cloud agility, and this is a great feature. Check Point is a known leader in the area of block rate, so I don't
MarkG have any complaints about it. It's working as expected. And similarly for malware prevention. When it comes to exploit resistance
rate, it's excel... [Full Review]
The biggest room for improvement is that, for a long time now, they've moved everything over to R80 but they still maintain some of
the stuff in the old dashboard. They need to "buy in" and move everything to the modern dashboard so that you don't have to go to
one place and to another place, at times, to configure the environment. It's time they just finish what they started and put everything
Alex in the new, modern dashboard. I thought they would have done that by now. It has been years. It's always a little disappointing
Tremblay
when you get a new version an... [Full Review]
The room for improvement wouldn't necessarily be with CloudGuard as much as it would be with the services supported by Check
Point. A lot of the documentation that Check Point has in place is largely because of the nature of the cloud. However, it is
frequently outdated and riddled with bad links. It has been kind of hard to rely on the documentation. You end up having to work
reviewer145 with support engineers on it. Something is either not there or wrong. Some of it is good, but frequently it's a rabbit hole of trying to
9770
figure out the good information from t... [Full Review]
It's meeting our needs at this time. If I could make it better, it would be by making it more standalone. That would be beneficial to
us. I say that because our current platform for virtualization is VMware. The issue isn't any fault of Check Point, it's more how the
virtualization platform partners allow for that partnership and integration. There has to be close ties and partnerships between the
M Poczobut vendors to ensure interoperability and sup-portability. There is only so far that Check Point, or any security vendor technology can
go without the partne... [Full Review]

30
Firewalls
Check Point CloudGuard Network Security Continued from previous page
Clustering has not been perfect from the very beginning. There weren't too many options for redundancy. It was improved in later
versions, but that's something which should be available from the very beginning, because the cloud itself offers you a very
redundant model with different availability zones, different regions, etc. But the Check Point product was a little bit behind in the
MarkG past. The convergence time between cluster members is still not perfect. It's far away from what we get in traditional appliances. If a
company wants to move mission-c... [Full Review]
The pricing is pretty high, not just for your capital, for what you have to pay upfront, but for what you pay for your annual software
renewals as well, compared to a lot of other vendors. Check Point is near the top, as far as how much it's going to cost you. Years
ago they used to piecemeal and you could pick whatever you wanted. But now they have two basic options. You can go with this
Alex level or the higher level and that's it. It makes it simple. [Full Review]
Tremblay
The pricing and licensing have been good. We just had to do a license increase for our portion of it. We had that done within a
couple of days. Given the fact that it's purely a software-based license, it ends up being even quicker than doing it for an on-prem
firewall. The only other thing that might come up is if we ever decided to do any managed services type of thing or bring in
reviewer145 consultants. Outside of that, their cost is what it is upfront. This is outside of whatever you will end up paying AWS to run the
9770
servers. It is all pretty straightforwa... [Full Review]
The pricing and licensing of this is much more digestible than that of its hardware equivalent. I've found, in times past, especially on
the hardware side of things, that the licensing support and maintenance could be very daunting to understand. If that has scared
folks away in the past, CloudGuard is much simpler. Licensing is simply by the number of hosts that you are looking to protect within
M Poczobut your environment. It makes it much easier to ensure that you are covering your environment. If you are not already a Check Point
customer for the UTM and t... [Full Review]
Pricing of CloudGuard is pretty fair when you have a single account. It's comparable with other cloud providers. But for our use
case, it got really pricey when we had to deploy multiple CloudGuards on multiple accounts in different regions, because you can't
have CloudGuard protecting multiple regions. That's the big thing. [Full Review]
Genesis
Floresta

31
Firewalls
Kerio Control See 26 reviews >>
Overview
Kerio Control brings together next-generation firewall capabilities -- including a network firewall and router, intrusion detection and
prevention (IPS), gateway anti-virus, VPN, and web content and application filtering. These comprehensive capabilities and
unmatched deployment flexibility make Kerio Control the ideal choice for small and mid-sized businesses.
SAMPLE CUSTOMERS
Triton Technical, McDonald's
TOP COMPARISONS
pfSense vs. Kerio Control … Compared 39% of the time [See comparison]
Fortinet FortiGate vs. Kerio Control … Compared 14% of the time [See comparison]
Sophos UTM vs. Kerio Control … Compared 13% of the time [See comparison]

Comms Service Provider … 46% Computer Software Company … 21%
Media Company … 4% Transportation Company … 14%
Educational Organization … 3% Government … 7%


32
Firewalls
Kerio Control Continued from previous page
The most valuable feature for us is the ease of use. We don't have to go crazy trying to figure out how to do something. It allows
you to make changes, set things up, turn on things for a customer without having to go through 37 different menus, read the
manual, and try to remember it. It's pretty straightforward. That's what attracted it to us in the beginning. While we can work with
BrianCook complicated systems, most of our customers don't need them, then we end up just spending more time setting up the solution than
we really need to. It's more productive... [Full Review]
The most common feature is the Traffic Rules, so the users can define which network or which users access which internet
interface. But bandwidth management and content filtering are also commonly used. With the Traffic Rules we define all the
different sources, such as various user groups or network interfaces for the crew. And we show them that if they want the guests to
Andy Dibble access 4G internet, this is how they do it. They're defining who gets what, in the Traffic Rules. If they've only got a single connection,
and everyone's sharing it, then they wou... [Full Review]
* Security * Ease of use * Ease of install * Ease to recover * The load balancing is very easy to maintain. The login appearances are
very strong. In case of problems, you're able to find anything you want. I am always able to help my customers. I really love this
product. It's very good. With its many features, there is no comparison. Over the years, I have seen other types of firewalls but they
Frank don't have these functionalities within them. You can create your users, groups, IP addresses, IP groups, and make rules. It can do
Raasveld
protocol inspection and... [Full Review]
We turned on two-factor authentication just after the shutdown when we knew we were going to get more users using it. That was
the only feature that I've used recently that was different and it worked fine. You only have to authenticate once every 30 days,
once you've fully authenticated. It was easy. Technically, it's not a full implementation. It's two-factor on every login, but it's certainly
Liam Bartlett more secure than it was. In terms of the comprehensiveness of the security features, I know that we haven't had any breaches
before. We've had security issu... [Full Review]
The one feature that seemed to be missing for a while that they finally just readded was the ability to filter by known IP lists, either
specific countries, or lists of IPs know to be hackers. That was in the product awhile ago, but just wasn't maintained for a while, but
they recently did start to maintain it again it. The MyKerio online portal could probably use a little touch up and tweaks, sometimes
BrianCook the backups just fail or you have to log off and back in with a new browser to connect to a device. The site is glitchy every now and
then. The gues... [Full Review]
Sometimes it might not be detailed enough, or it might have more details but the customers just don't know where to look. The
issue is usually when it comes to specific packets. Sometimes they find it slightly difficult to see exactly what's going on. For
example, we had a customer who was using the content filter. They tried to block Facebook using the web filter categories, and in
Andy Dibble combination with that they wanted to always require that a user was authenticated before accessing web pages. What would
happen was that even though they had the content... [Full Review]
With Kerio Connect, they blew it. They were not able to pace up with the competition. I am working with a variety of customers:
lawyer offices, travel agencies, big shopping mall accounts, and small accountancy offices. They have all kinds of needs. Kerio
Connect did a new launch in the Netherlands for the ACG and GDPR, which are very strict for some companies, like lawyer offices. It
Frank is important within the mail server product that you're able to encrypt your attachments and have two-factor authentication. All these
Raasveld
type of things are not within Ke... [Full Review]

33
Firewalls
Kerio Control Continued from previous page
If I would suggest anything, it would be to expand on its multifactor authentication to be a little bit more user-friendly. They should
do multifactor authentications for the client itself perhaps, rather than served on a webpage, in a page hijack, that might be more
user-friendly, but I don't have a lot of complaints about it. It's doing its job. You have to have a certain amount of skills to configure
Liam Bartlett these things anyway, the ones that we use on-site doing point-to-point, and we've been tricked up a few times with their interfaces.
That's been mor... [Full Review]
It's generally inexpensive compared to a lot of other products out there. We don't use the solution’s high-availability/failover
protection. For our market, it just hasn't been something that's been worth it for the cost. Because the software can run on both the
Kerio hardware as well as regular off the shelf computer hardware, we've actually just maintained a standard computer with some
BrianCook extra NICs in it or a microcomputer as a backup. So, if a box goes out, we just run out there, pull the backup file off the web (since it
is backed up through the M... [Full Review]
Pricing depends on the requirements. The more powerful boxes, like the NG500, are more expensive on licensing terms,
depending on how you license them. At the moment, the NG500 doesn't have an unlimited user option. I believe they took it away,
although I might be wrong. Figure out how many users you're going to need because there's no point in configuring or licensing it
Andy Dibble for 200 users "just in case," when you might only need 50. It's obviously going to cost you four times as much. There is an option to
have GFI Unlimited, which is their all-in-one ... [Full Review]
It's not a very expensive solution from my point of view. Because it is not only about buying a product, but how much time does it
cost to implement the features that the product offers? I haven't found another product that is able to do the things that Kerio
Control can do for the money. It is a good fit for SMBs because of its maintainability. When you want to keep your costs low, then
Frank Kerio Control is a very good solution. It's not an expensive product that is well integrated. It has a complete set of features within it
Raasveld
that make it a very strong... [Full Review]
I didn't even blink at the price but I can't even remember what it cost. It was pretty reasonable. The cost was very affordable. We
just ended up licensing our own because we didn't know who was going to be working remotely at the end of the day. I think
anyone that had a chance to work at home, they got the license. It wasn't a factor of having to do to a view and make sure that
Liam Bartlett every user absolutely needed one. It is a very affordable solution. There are no additional costs to the standard licensing that I know
of. We maintain the highway that it ... [Full Review]

34
Firewalls
Palo Alto Networks VM-Series See 16 reviews >>
Overview
The VM-Series is a virtualized form factor of our next-generation firewall that can be deployed in a range of private and public
cloud computing environments based on technologies from VMware, Amazon Web Services, Microsoft, Citrix and KVM.
The VM-Series natively analyzes all traffic in a single pass to determine the application identity, the content within, and the user
identity. These core elements of your business can then be used as integral components of your security policy, enabling you to
improve your security efficacy through a positive control model and reduce your incident response time though complete visibility
into applications across all ports.
In both private and public cloud environments, the VM-Series can be deployed as ... [Read More]
SAMPLE CUSTOMERS
Warren Rogers Associates
TOP COMPARISONS
Azure Firewall vs. Palo Alto Networks VM-Series … Compared 27% of the time [See comparison]
Fortinet FortiGate vs. Palo Alto Networks VM-Series … Compared 16% of the time [See comparison]
Cisco ASA Firewall vs. Palo Alto Networks VM-Series … Compared 10% of the time [See comparison]

Comms Service Provider … 18% Government … 15%
Government … 5% Manufacturing Company … 15%
Energy/Utilities Company … 5% Energy/Utilities Company … 8%
COMPANY SIZE
1-200 Employees … 34%
201-1000 Employees … 34%
1001+ Employees … 31%

35
Firewalls
Palo Alto Networks VM-Series Continued from previous page
The Palo Alto VM-Series is nice because I can move the firewalls easily. For instance, we once went from one cloud provider to
another. The nice thing about that situation was that I could just move the VMs almost with a click of a button. It was really
convenient and easy and an option that every firewall will not give you. [Full Review]
reviewer126
7734
What I like about the VM-Series is that you can launch them in a very short time. You don't have to wait for the hardware to route for
them to be staged and installed. From that perspective, it's easy to launch and it's good because it is more scalable. The product is
quite responsive. [Full Review]
Goran
Aleksic
Its security features, i.e. antimalware, threat prevention, URL Filtering, VPN, antivirus are the most valuable. The ID-User integrated
with AD and 2FA feature is also very useful to provide access to servers and some users in the company. [Full Review]
reviewer144
8568
The most valuable feature is that you can control your traffic flowing out and coming out, allowing you to apply malware and threat
protection, as well as vulnerability checks. It has an advanced engine that does parallel processing for packet and deep packet
inspection. It also supports user authentication. [Full Review]
reviewer1415
211
We would really like to see Palo Alto put an effort into making a real Secure Access Service Edge (SASE). Especially right now
where we are seeing companies where everybody is working from home, that becomes an important feature. Before COVID,
employees were all sitting in the office at the location and the requirements for firewalls were a different thing. $180 billion a year is
reviewer126 made on defense contracts. Defense contracts did not stop because of COVID. They just kept going. It is a situation where it seems
7734
that no one cared that there was COVID th... [Full Review]
The one issue that I didn't like is that the SNMP integration with interfaces didn't record the interface counters. It seems that you
really need to upgrade to the very latest version, whereas the physical one has worked for ages now. I think that it narrowly affects
the Azure deployment because I remember that we were using the VMware solution before, and we didn't have such issues. I think
Goran that the most important point for Palo Alto is to be as consistent and compatible as possible. It should be compliant such that all of
Aleksic
the features are consiste... [Full Review]
It can be improved in areas such as DevOps and quality assurance. The installation rules deployment process we also improved
when we deployed these firewalls. In terms of new features, for simplicity reasons, it is faster, because as I mentioned above we
can reused the same rules and the same objects from the local PAN that has a Panorama such as the single point of supervision.
reviewer144 We are looking for ways to integrate with other cloud in the future. For this, we will require a more secure integration and encrypted
8568
connections with other companies. [Full Review]

36
Firewalls
Palo Alto Networks VM-Series Continued from previous page
The disadvantage with Palo Alto is that they don't have a cloud-based solution that includes a secure web gateway. For example, if
a person is working from home and you want a proxy then you have to rely on a secure web gateway. Palo Alto cannot do that
because they don't have a cloud solution. So, if you want direct internet access and if you also want the proxies then Palo Alto is not
reviewer1415 a good choice. [Full Review]
211
I do not have to do budgets and I am thankful for that. I am just the guy in the chain who tells you what license you are going to
need if you choose to go with Palo Alto VM-Series. How they negotiate the license and such is not my department. That is because
I do not resell. I know what the costs might be and I know it is expensive in comparison to other solutions. I get my licenses from
reviewer126 Palo Alto for free because they like me. I have proven to be good to them and good for them. When they have customers that are
7734
going to kick them out, I can go in ... [Full Review]
I don't have any dealings with the accounting side of the solution. That's handled by someone else. I'm not sure what the cost is or if
we pay monthly or yearly. [Full Review]
Md Rezwan
Ashique
The VM series is licensed annually. The option exists to procure a basic license. With this, the firewall feature comes with the
application and the board, with everything in code. A subscription is included. [Full Review]
Darshil
Sanghvi

37
Firewalls
Answers from the Community
Best Firewall to create VPN for 250 plus users currently working from home?
Hi,
I am from an Auditing organization.
We are looking to have a firewall using which we can have the VPN for our users [currently WFH].
Please suggest the best firewalls currently in the market to choose from.
You need to know the apps and bandwith that your users will need to calculare the trhowoutput of the interfaces, that is more about
sizing rather than brand, but the sophos vpn client is very light and easy to install
Javier
Medina
In addition i can tell that you can use 2FA for free with the sophos authenticator and enabling OTP for your vpn remote ssl users, also
there are some other vpn awesome features like html5 and rdp over vpn so you dont need to publish or port forwarding makin you
network more secure.
Javier
Medina
You can use fortinet Firewall SSLVPN as well ipsec vpn. If you tell me what are services need to accessed by remote users. I suggest
you the correct model. nevertheless it has to be 600 Series or above. And you need have enough upload speed.
Rias
Majeed
See all 17 answers >>

38
Firewalls
What is the best way to prevent DoppelPaymer Ransomware?
I work as a project engineer at a company with 201- 500 employees.

I am looking for recommendations for the best way to prevent DoppelPaymer Ransomware. Is there an action plan or
solution you would recommend?
Thanks! I appreciate your help.

If you want absolute security, for any malware - not just the DoppelPaymer ransomware, I suggest you have a look at ThreatLocker. I
do not work for them, but we started implementing this internally and will soon push this out to clients. It is a superb product, that goes
about security in a different way - rather than layering antivirus (signature based or nextgen) on top of regular updates (Windows and
SSL 3rd party) - it implements application whitelisting and ring fencing. I suggest you have a look at their videos, and reach out to them.
https://www.threatlocker.com/ No Firewall can protect you completely, even if it is UTM. Even if you close all ports (please do so for
RDP or similar). These will help filtering URL, websites, and in some cases using AV signatures or ATP for attachments, but we noticed
this is not very effective (especially with SonicWall). Having a...
You need an APT solution integrated with your endpoint solution, firewall, and email security gateways. I recommend Wedge Network
and FireEye.
Tarek
Menshawy
I will suggest the below solution for preventing DoppelPaymer Ransomware. I would suggest an end to end protection layer with
central management and visibility. SonicWALL UTM Model NSA4650 :- for Gateway protection. SonicWALL Hosted Email Security :- for
Protect your mails SonicWALL Capture client (Next Generation Anti-Malware) :- for protect your endpoint layer SonicWALL Capture
Viral Security Center :- central management and visibility.
Hariyani

39
Firewalls
Which is the best network firewall for a small retailer?
I am the owner of a retailer company with 1-10 employees.

We host websites on Windows 2008 R2 servers and Norton Business Protection. We are looking for
recommendations for the best network firewall.
Thanks! I appreciate the help.
Good commercial firewalls take a degree of expertise that small businesses rarely possess, for that reason, I would look for a managed
security services provider that specializes in the SMB retail market. They should be able to do it affordably and with solid expertise.
They should support Fortinet or Palo Alto Network firewalls which are the current gold standard for Next-Generation Firewall. You
Stuart should also look at upgrading your Windows 2008 servers as they are end of life and tough to protect today.
Berman
1-10 employees., it's not that big, you should try the Unifi Platform from the Ubiquiti brand, it is a bargain for the price and resource you
can manage, and the better for you is you don't have to pay licencing, you only pay the hardware an the IT for implement the solution.
Luis
Apodaca
FortiGate 60F will be a good and economical choice for you especially that you will host a website it will give you the best
performance.
Mohamed
Rashwan

40
Firewalls
About this report

This report is comprised of a list of enterprise level Firewalls vendors. We have also included several real user reviews posted on
ITCentralStation.com. The reviewers of these products have been validated as real users based on their LinkedIn profiles to ensure that they
provide reliable opinions and not those of product vendors.
About IT Central Station

The Internet has completely changed the way we make buying decisions. We now use ratings and review sites to see what other real users think
before we buy electronics, book a hotel, visit a doctor or choose a restaurant. But in the world of enterprise technology, most of the information
online and in your inbox comes from vendors but what you really want is objective information from other users.
We created IT Central Station to provide technology professionals like you with a community platform to share information about enterprise
software, applications, hardware and services.
We commit to offering user-contributed information that is valuable, objective and relevant. We protect your privacy by providing an environment
where you can post anonymously and freely express your views. As a result, the community becomes a valuable resource, ensuring you get
access to the right information and connect to the right people, whenever you need it.
IT Central Station helps tech professionals by providing:
• A list of enterprise level Firewalls vendors

• A sample of real user reviews from tech professionals
• Specific information to help you choose the best vendor for your needs
Use IT Central Station to:
• Read and post reviews of vendors and products

• Request or share information about functionality, quality, and pricing
• Contact real users with relevant product experience
• Get immediate answers to questions
• Validate vendor claims
• Exchange tips for getting the best deals with vendors
IT Central Station
244 5th Avenue, Suite R-230 • New York, NY 10001
www.ITCentralStation.com
reports@ITCentralStation.com
+1 646.328.1944

41

Firewalls Buyer's Guide and Reviews June 2021

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Firewalls Buyer's Guide and Reviews June 2021

Uploaded by

Copyright:

Available Formats

F

Get a custom version of this report...personalized for you!

Get your personalized report here.

Top Vendors 5-6

Top Solutions by Ranking Factor 7

Cisco ASA Firewall 14 - 16

Check Point NGFW 17 - 19

Cisco Firepower NGFW Firewall 20 - 22

Palo Alto Networks NG Firewalls 26 - 28

Check Point CloudGuard Network Security 29 - 31

Palo Alto Networks VM-Series 35 - 37

Answers From the Community 38 - 40

About This Report and IT Central Station 41

© 2021 IT Central Station

AhnLab AhnLab TrusGuard MetTel MetTel Cloud Managed Firewall

Barracuda Networks Barracuda CloudGen Firewall Microsoft Azure Firewall

Check Point Check Point NGFW NetFortris NetFortris Hosted Firewall

Cisco Cisco ASA Firewall Netgate pfSense

Cisco Cisco Firepower NGFW Firewall OPNsense OPNsense

Fortinet Fortinet FortiGate-VM Sangfor Sangfor NGAF

Fortinet Fortinet FortiOS ShieldX Networks ShieldX

GajShield GajShield Next Generation Firewall SonicWall SonicWall TZ

GFI Kerio Control SonicWall SonicWall NSa

H3C H3C SecPath Firewalls SonicWall SonicWall NSSP

Hewlett Packard 3Com H3C Firewalls SonicWall SonicWall NSV

Menlo Security Menlo Security Cloud Firewall

© 2021 IT Central Station

Top Firewalls Solutions

Views Comparisons Reviews Words/Review Average Rating

Both Rating and Words/Review are awarded on a fixed linear scale.

3 Cisco ASA Firewall

© 2021 IT Central Station

4 Check Point NGFW

5 Cisco Firepower NGFW Firewall

7 Palo Alto Networks NG Firewalls

8 Check Point CloudGuard Network

10 Palo Alto Networks VM-Series

© 2021 IT Central Station

Top Solutions by Ranking Factor

1 Fortinet FortiGate 165,280

3 Cisco ASA Firewall 65,046

5 Cisco Firepower NGFW Firewall 39,252

2 Check Point NGFW 77

4 Cisco ASA Firewall 73

5 Palo Alto Networks NG Firewalls 59

2 Kerio Control 1,812

3 Cisco Firepower NGFW Firewall 1,080

4 Check Point CloudGuard Network 869

5 SonicWall NSV 788

© 2021 IT Central Station

Fortinet FortiGate See 98 reviews >>

REVIEWERS * VISITORS READING REVIEWS *

TOP INDUSTRIES TOP INDUSTRIES

COMPANY SIZE COMPANY SIZE

© 2021 IT Central Station

Fortinet FortiGate Continued from previous page

Top Reviews by Topic

VALUABLE FEATURES See more Valuable Features >>

ROOM FOR IMPROVEMENT See more Room For Improvement >>

© 2021 IT Central Station

Fortinet FortiGate Continued from previous page

© 2021 IT Central Station

pfSense See 37 reviews >>