Firewall Vendors

The firewall is the front door to your network — the device that decides what gets in, what gets out, and what happens when something hostile comes knocking. Choosing one is a balance of capability, cost, licensing terms, and how much of your life you want to spend maintaining it. Here's where the major vendors land for us.

SonicWall

SonicWall is what we reach for most, and it comes down to value. The spec-to-price ratio is the best in the category, the support is solid, and — a detail that matters more than people expect — they license high availability generously. Even a low-end license gives you a lot of capability, and standing up a second unit for HAUsing multiple independent power paths to ensure equipment keeps running when a single power source, circuit, or UPS fails. doesn't cost a fortune. For most organizations, SonicWall delivers enterprise-grade protection without enterprise pricing.

Fortinet (FortiGate)

FortiGate is solid hardware, and we deployed it constantly for years. Two things pushed us back toward SonicWall. First, the licensing carries more friction than it should. Second, the port speeds run low for the price: at a given cost tier we want to see more SFP+Layer 1 is the physical layer of the OSI network model — the actual cables, connectors, electrical signals, and light pulses that carry bits between devices. If Layer 1 is broken, nothing above it works. than Fortinet tends to offer. There's also been a notable run of security issues in the platform recently. It's still capable gear, but the value equation moved.

Meraki

Cisco Meraki firewalls are easy to manage and dependable, with the same trade-off as the rest of the Meraki line: you pay a premium, and the licensing is perpetual — let it lapse and the box stops protecting you. Fine where an organization is already all-in on Meraki; rarely our value pick.

Cisco

Traditional Cisco firewalls are extremely strong and built for the largest environments. They're also expensive and high-maintenance to run. This is enterprise-only territory — the right answer for a large, Cisco-standardized organization with the staff to manage it, and overkill almost everywhere else.

Juniper and Palo Alto

Juniper and Palo Alto are the premium names. They're expensive, but each has a devoted following for good reason — at the high end they're excellent. For most of the small and mid-sized organizations we serve, though, the cost is hard to justify against what SonicWall delivers.

Which SonicWall

When we do deploy SonicWall — which is often — sizing follows a clear ladder. The right model depends on user count and, especially, on your internet speed, because the firewall has to inspect traffic at your WAN's full rate.

• TZ280 — most small offices
• TZ680 — 100+ users (adds 10 Gb ports)
• NSa 2800 — larger environments
• NSa 3800 — 5 Gbps WAN
• NSa 4800 — 10 Gbps WAN

And one rule across all of them: always deploy high availability. A second unit in HA turns the failure of a firewall into a non-event instead of a company-wide outage — and because of how SonicWall licenses HA, it's an affordable kind of insurance. (The architecture firm in this case study runs SonicWall for exactly this reason.)

The firewall is also where your VPNCreates an encrypted tunnel between two endpoints over the public internet — used for remote access to corporate resources and connecting offices without leased lines. and SSL VPNRemote network access over HTTPS using TLS — works through any firewall since it runs on port 443. remote access live, and where next-generation firewallGoes beyond port and protocol filtering to inspect application-layer traffic, enforce user-based policies, detect intrusions, and block threats in real time. features — deep packet inspection, intrusion prevention, content filtering — actually get enforced. Specifying, licensing, and maintaining all of it correctly is the substance of our firewall and network security work.