Virtual Firewall

Jimmy9008

Hey folks,

Looking at setting up a virtual firewall in addition to our existing physical. Any pointers? Never looked in to virtual firewalls before. These are some quick returns online, any to stay away from when going through them and reviewing?

• ClearOS
• IPCop
• IPFire -> is this the same as IPCop?
• OPNSense
• pfSense

Any to totally avoid (lack of development, outdated etc)...

Not after specific features yet, just looking ones that should be avoided at all cost...

Thanks,
Jim

scottalanmiller

What's the goal? Why two firewalls? This isn't something that you normally want, unless this is to create an old fashioned full on DMZ.

VyOS would be the main choice for something like this.

hobbit666

@jimmy9008 I've used pfSense in the past and liked it. Also used untangled

coliver

VyOS. But really to echo @scottalanmiller what's the use case for this? Just to learn?

Jimmy9008

@scottalanmiller said in Virtual Firewall:

What's the goal? Why two firewalls? This isn't something that you normally want, unless this is to create an old fashioned full on DMZ.

VyOS would be the main choice for something like this.

WatchGuard have a bug in thier firmware which is holding us back from using thier M300 firewall in the way we want. Specifically, issues with their content action functionality and proxying the traffic. We plan to either move away from WatchGuard entirely (staged by having these two firewalls initially), or split the services until the bug is resolved (no timeline for that currently).

The M300 will have our 1 Gigabit WAN. The virtual firewall will route out via our 100 Megabit WAN for specific servers only.

Jimmy9008

@hobbit666 said in Virtual Firewall:

@jimmy9008 I've used pfSense in the past and liked it. Also used untangled

I will add untangled to my list; any you would totally avoid?

Jimmy9008

Sophos look to do a free virtual firewall 'Sophos UTM Essential Firewall' - anybody used it? Thoughts?

scottalanmiller

@jimmy9008 said in Virtual Firewall:

Sophos look to do a free virtual firewall 'Sophos UTM Essential Firewall' - anybody used it? Thoughts?

Last I knew, only for home use.

scottalanmiller

@jimmy9008 said in Virtual Firewall:

Sophos look to do a free virtual firewall 'Sophos UTM Essential Firewall' - anybody used it? Thoughts?

Also, that's a UTM.

scottalanmiller

@jimmy9008 said in Virtual Firewall:

@scottalanmiller said in Virtual Firewall:

What's the goal? Why two firewalls? This isn't something that you normally want, unless this is to create an old fashioned full on DMZ.

VyOS would be the main choice for something like this.

WatchGuard have a bug in thier firmware which is holding us back from using thier M300 firewall in the way we want. Specifically, issues with their content action functionality and proxying the traffic. We plan to either move away from WatchGuard entirely (staged by having these two firewalls initially), or split the services until the bug is resolved (no timeline for that currently).

The M300 will have our 1 Gigabit WAN. The virtual firewall will route out via our 100 Megabit WAN for specific servers only.

Those are all UTM features, not firewall features. I have a suspicion that you are looking for a UTM, not a firewall. Or possibly that you are looking for UTM functionality, not firewall functionality, behind a firewall, which is a great way to go if you need that stuff. But using the wrong words so we are giving bad info to you, if so.

Jimmy9008

@scottalanmiller said in Virtual Firewall:

@jimmy9008 said in Virtual Firewall:

@scottalanmiller said in Virtual Firewall:

What's the goal? Why two firewalls? This isn't something that you normally want, unless this is to create an old fashioned full on DMZ.

VyOS would be the main choice for something like this.

WatchGuard have a bug in thier firmware which is holding us back from using thier M300 firewall in the way we want. Specifically, issues with their content action functionality and proxying the traffic. We plan to either move away from WatchGuard entirely (staged by having these two firewalls initially), or split the services until the bug is resolved (no timeline for that currently).

The M300 will have our 1 Gigabit WAN. The virtual firewall will route out via our 100 Megabit WAN for specific servers only.

Those are all UTM features, not firewall features. I have a suspicion that you are looking for a UTM, not a firewall. Or possibly that you are looking for UTM functionality, not firewall functionality, behind a firewall, which is a great way to go if you need that stuff. But using the wrong words so we are giving bad info to you, if so.

Any examples of virtual UTM devices in that case?

scottalanmiller

@jimmy9008 said in Virtual Firewall:

@scottalanmiller said in Virtual Firewall:

@jimmy9008 said in Virtual Firewall:

@scottalanmiller said in Virtual Firewall:

What's the goal? Why two firewalls? This isn't something that you normally want, unless this is to create an old fashioned full on DMZ.

VyOS would be the main choice for something like this.

WatchGuard have a bug in thier firmware which is holding us back from using thier M300 firewall in the way we want. Specifically, issues with their content action functionality and proxying the traffic. We plan to either move away from WatchGuard entirely (staged by having these two firewalls initially), or split the services until the bug is resolved (no timeline for that currently).

The M300 will have our 1 Gigabit WAN. The virtual firewall will route out via our 100 Megabit WAN for specific servers only.

Those are all UTM features, not firewall features. I have a suspicion that you are looking for a UTM, not a firewall. Or possibly that you are looking for UTM functionality, not firewall functionality, behind a firewall, which is a great way to go if you need that stuff. But using the wrong words so we are giving bad info to you, if so.

Any examples of virtual UTM devices in that case?

Sophos, Palo Alto, Untangle, etc.

scottalanmiller

VyOS is NOT a UTM, for example, but is the best firewall of the bunch. So an important differentiation.

scottalanmiller

If doing this, I'd recommend moving to Ubiquiti for your actual firewall, no upside to anything else in this range. Ubiquiti is the best.

Then the UTM VM for all those other functions. Or it can be multiple VMs, no reason to have all the functions in one. Like web proxy and AV could be two different VMs from different vendors, in theory.

Jimmy9008

@scottalanmiller said in Virtual Firewall:

If doing this, I'd recommend moving to Ubiquiti for your actual firewall, no upside to anything else in this range. Ubiquiti is the best.

Then the UTM VM for all those other functions. Or it can be multiple VMs, no reason to have all the functions in one. Like web proxy and AV could be two different VMs from different vendors, in theory.

If that UTM function is being handed over to the VM, why not keep M300 as the actual firewall which has not been the problem? The firewall part of the M300 has been great, its the UTM feature that i'd look to me moving off to the VM.

scottalanmiller

@jimmy9008 said in Virtual Firewall:

@scottalanmiller said in Virtual Firewall:

If doing this, I'd recommend moving to Ubiquiti for your actual firewall, no upside to anything else in this range. Ubiquiti is the best.

Then the UTM VM for all those other functions. Or it can be multiple VMs, no reason to have all the functions in one. Like web proxy and AV could be two different VMs from different vendors, in theory.

If that UTM function is being handed over to the VM, why not keep M300 as the actual firewall which has not been the problem? The firewall part of the M300 has been great, its the UTM feature that i'd look to me moving off to the VM.

Just to make it easier to save money and unify management long term. It would be no rush, but at least make the plans now. You don't want to end up in a spot where the Watchguard gets replaced with something else incredibly silly later on. Sometimes it's worth investing well now (we are talking like $85) to make sure the right stuff is in place so that expensive stuff doesn't get bought again down the road.

Jimmy9008

@scottalanmiller said in Virtual Firewall:

@jimmy9008 said in Virtual Firewall:

@scottalanmiller said in Virtual Firewall:

If doing this, I'd recommend moving to Ubiquiti for your actual firewall, no upside to anything else in this range. Ubiquiti is the best.

Then the UTM VM for all those other functions. Or it can be multiple VMs, no reason to have all the functions in one. Like web proxy and AV could be two different VMs from different vendors, in theory.

If that UTM function is being handed over to the VM, why not keep M300 as the actual firewall which has not been the problem? The firewall part of the M300 has been great, its the UTM feature that i'd look to me moving off to the VM.

Just to make it easier to save money and unify management long term. It would be no rush, but at least make the plans now. You don't want to end up in a spot where the Watchguard gets replaced with something else incredibly silly later on. Sometimes it's worth investing well now (we are talking like $85) to make sure the right stuff is in place so that expensive stuff doesn't get bought again down the road.

Yes, that makes sense. Other things in the pipeling will take priority over this currently though. Will add to investigate this to my list. Ta Scott.

Obsolesce

@scottalanmiller said in Virtual Firewall:

Why two firewalls?

DMZ --> Perimeter Network --> LAN?

scottalanmiller

@tim_g said in Virtual Firewall:

@scottalanmiller said in Virtual Firewall:

Why two firewalls?

DMZ --> Perimeter Network --> LAN?

That's how it used to be. The DMZ meant the area between the firewalls.