Last week here in Sydney was what I tend to call moderately hot to hot. It reached 39°C on Wednesday and 37°C on Thursday. Consequently it was pretty warm in my apartment when I got home from work, and on both days my firewall failed.

Being a network engineer, and a Cisco guy at that, I naturally have a Cisco home network. I have a Cisco 1801 ADSL router connected to an ASA 5505 firewall (I may write a post documenting the design in the future, but today’s post isn’t about that).

My ASA sits atop an aluminium drive cage for ventalation, which sits atop my router, which sits atop my NAS, which sits atop my amp, which sits atop a couple of old computer cases. Todo: Buy furniture so I don't have to play hardware jenga!

My ASA sits atop an aluminium drive cage for ventalation, which sits atop my router, which sits atop my NAS, which sits atop my amp, which sits atop a couple of old computer cases. Todo: Buy furniture so I don’t have to play hardware jenga!

On both evenings when the firewall failed, basically about half way though a large download I lost all contact with the firewall. When I checked on it, the status light was red and the other status lights were flashing on and off simultaneously. The first time it came good after a quick reboot, but failed again a short time later, so I elevated it on the aluminium drive cage shown above and pointed a fan at it, which seemed to help. The following day it happened again, so I just rebooted and once again switched the fan on.

I’ve had the ASA for a few years now; it was a pretty old model when I got it and it’s definitely showing its age compared to some of the newer models, so I’ve spent the last few evenings considering what I might replace it with.

Obviously there’s Cisco’s newer ASA 5506-X, but there’s also plenty of other brands with similar offerings. Juniper, Fortinet, Dell, Barracuda and even Cisco themselves, all have alternatives to the ASA, so how do I choose which one to go with.

Firstly, what do I use it for? My home ADSL is a paltry 11Mbps down and 1Mbps up. I usually download at least a couple of hundred GB a month, things like Steam games and other software downloads, YouTube and Netflix video streaming, and the odd torrent.

The government’s NBN project is scheduled to roll out in my area sometime within the next few years. Maybe. And I have no idea whether I’ll be getting HFC cable or FTTN. Either way the maximum speed I can expect is 100Mbps, although the reality is the average will likely be closer to 50Mbps, so I won’t need anything too high performance. However if I am lucky enough in the future to move to somewhere serviced by FTTP, it would be nice to have the option of a 1Gbps port.

The requirement of VPN capabilities is a given, site-to-site and remote access, though it only needs to support a single client. I haven’t played with SSL VPN, it doesn’t really interest me since IPSec suits me just fine.

While they would be nice, I don’t really need IPS or UTM features (content & application filtering, anti-virus, anti-malware, etc.), since it’s only a home network, and I can do anti-virus and anti-malware on the endpoints. Not to mention the subscriptions are usually pretty expensive!

So basically the only other things I use it for are NATing to the /29 supplied by my ISP and firewall filtering.

In other words, I only need something very low-end. I’ve researched a few different models, and here’s what I’ve found.

I won’t go into the specs such as number of supported VPN connections, firewall/VPN throughput, maximum connections per-second, etc. Suffice to say all would be sufficient for my requirements. However clearly the higher-end models such as the FortiGate 60D and Juniper SRX220 are overkill, however I’ve included these for a couple of reasons.

Firstly, while researching the FortiGate 30D I found a lot of users noted it was a highly cut-down model with fewer features and configuration options than the 60D. It probably would be fine for my purposes, but I’ve included the 60D for comparison purposes. And comparing Juniper’s lower-end firewalls to the others here would be a bit unfair considering the SRX220 is the first model with gigabit ports. Even then only two out of the 8 ports are gigabit, the rest being 100Mbps.

However both the Fortigate 60D and Juniper SRX200 can be ruled out on their price alone, as they’re both well over $1,000 here in Australia, with the Juniper being closer to $2,000.

As for the price of the rest, the Dell is the cheapest at under $500, the ASA can be found for around $560, the Meraki around $620 and the FortiGate 30D around $800 (or around $600 on eBay from the US).

The Dell SonicWall is a big unknown in terms of capabilities and configuration; I’ve never used one before, nor has anyone I know. The specs and features seem to be reasonable for the price, but the GUI leaves a lot to be desired, and the admin guide is a 50MB, over 1600 page monster, which doesn’t instil confidence in its ease of use.

The FortiGate GUI looks a lot more user-friendly, and the admin guide looks much more friendly than the Dell, but there’s also a lot of use-case based configuration examples and videos available on the Fortinet website.

To be honest I didn’t look into the Cisco Meraki much. The datasheet suggested that configuration was all cloud-based, and I’m not a fan of devices that can’t be configured locally. It also suggests that the cloud features are a subscription-based license, which to me says you would no longer be able to configure it if you don’t renew the subscription. Forced paid subscriptions are an instant show-stopper.

Finally the ASA 5506-X uses the same ASA software and ASDM GUI I’ve got in my current ASA, and we use ASA 5585-X and 5525-X firewalls at work, so I’m already very comfortable with both the GUI and CLI, which are both very powerful.

The only downside of the ASA is that the ports only support layer-3 routed and sub-interface modes, and can’t be configured as switch ports and assigned to a VLAN as with the old ASA. This is a pretty big disappointment, but the Dell admin guide also leads me to believe that it’s the same (I believe the FortiGate’s LAN ports are switch ports). Obviously the work-around is to use a separate switch, which is no problem but it effectively makes the extra 6 ports useless to me.

So are the extra few ports on the FortiGate 30D worth paying a premium for? No, especially when there’s so many reports that the 30D is much more limited than the 60D model. Is it worth saving around $100 and getting the Dell? If the GUI and documentation is as bad as it looks, probably not.

I guess that means I’m sticking with Cisco!