 Tommy here from Warrant Systems and let's dive into the topic of talking about different firewall options And this is gonna have a lot of qualifiers around it This is April of 2023 when I'm making this list These are the firewalls on this list at least that I have direct experience or at least some indirect experience to friends with and that's one of the big qualifiers is it's impractical and Hard to try to list all the popular firewalls and that's going to be of the controversial one as I learned on Twitter when I Posted some of these questions of people want me to review their favorite firewall And if it's your favorite firewall keep using it if it's happy if it's secure and it works well for you I don't have any reason to tell you not to use those I wanted to offer some knowledge on the what we use and the qualifying list here comes down to Things we use a lot of course PF sense being that list and things that some of my trusted IT friends that we work closely with Do use as well now a little background on myself here We are an IT services company and a managed services company as in we are outside IT for other businesses We manage about 50 PF senses in different businesses That we also do consulting with those businesses some of those have internal IT teams now expanded from that We also have co-managed IT we do as in they have an internal IT department But farm out some of the work to us and we have a lot of those clients using things like 48 Not that we're managing your 48, but we know they manage your 48 We're usually they're managing let's say their servers or some visualization or some storage So I have interaction with a lot of these firewalls that are on the list here with the exception of a little bit of Maraki, I have less interaction with them and the same thing with The 48 it's less interaction But worth listing on there because I had my friend Jason slaggle go over the list and say yeah We definitely use these we like them You've seen them on the channel before and then I also had Christian lemba and I have a few other IT friends that Really like the Sofo system so I threw it on there but I just don't work with those a lot but I at least for a comparison list have it on there and People who are familiar with my channel know my bias towards PF sense because it's a very popular solution One thing I will say right off the bat here though when it comes to PF sense I listed it as just PF sense, but yes, there's two versions PF sense and PF sense plus PF sense CE I should say which is community edition the open-source version PF sense plus is basically that same version with if you extra add-ons on there and This is a topic that you know people say well aren't you now talking about PF sense But closed-source if you look they're kind of developed in tandem, but they do release the PF sense plus additions first That is just the way they do things PF sense the neck gate people behind it are big at supporting upstream and BSD They write some of the drivers and do a lot of the integrations They have wonderful documentation as well the reasons I've been such a longtime user of PF sense But without you know getting too far into it I will mention open sense is not on the list because I just don't interact with it from a business standpoint I don't have any problem though if you would like to use open sense This is where the Twitter controversies by me not having it on there People seem to assume that I have some dislike for it. I just don't use it. It does have more frequent updates But they're both actively developed projects PF sense the 2.7 CE which is close to final release is based on free BSD 14 I believe open sense is on free BSD 13 But both of those are current and if you go to PF and PF sense plus that it's currently on 14 that's current as well. So there are updates to it They're just less frequently open sense seems to be really popular in the home lab world because it has like more packages And I get that but from a business management standpoint And that's for a lot of my experience comes from is using these in businesses not just testing in a lab So the real world usage I just don't run into the open sense as much and having to manage something that has a lot of updates can be challenging Now it is my understanding lightly and I looked a little bit There is a business version open sense which has a slightly different path with a few extra features But I've never used it and I didn't want to buy a license just to test something because that testing would be still once again in The lab. I don't have time to tear down large infrastructure We have site to site VPNs, etc. And see how open sense performs So if you want to use it keep going if you're happy with it keep using it My preference is for PF sense and let's drive into the details of the list I have over here. We got PF sense Arista untangle. So Arista bought untangle and they've continued on with the product I believe they renamed it Arista edge by still see untangle in a few places I think that branding is still there though if you look for my old videos, they all say untangle Maybe I'll do an update a video on it at some point since it's been bought. They still have been maintaining the project It's still a popular firewall and I have some friends that are gold partners in it We don't have that many clients on it, but we have a few and it seems to work. Well, and it's very trouble-free USG UXG and the UDM pro UDM pro SC a group these together separately as opposed to just calling it unify because these have very different functionalities and even UDM pro and pro SC There's some differences there You can probably throw in the unified dream wall on there to be more like a pro SC The unifies are really popular in the market, but there's definitely some shortcomings. We'll be talking about there 48 Sophos and Maraki. You can't ignore Maraki's presence, especially in the IT services market So I threw them on here as a list. I also can't ignore the controversies around Maraki Not just the pricing but occasionally Maraki going around people I've got links that are in the description if you want to dive into some of that and Contacting customers directly is the going around is and you have to be a reseller to get Maraki And then if they contact your customers directly to catch you out Not the first time I've heard of Maraki doing it, but it recently happened again So I didn't want to ignore or pretend the controversy doesn't happen with them Next is the features here can run on your own hardware with PF sensets. Yes or a suntangle. Yes and No, no here You're only gonna run it on the unify hardware when you're running unified for 48 same thing You don't get to just load it up as a device You're gonna have to use the 48 hardware Sophos. So it's a software-based firewall They do have appliances just like PF sense does so yes You can load it up yourself or virtualize it which is next category and Maraki's a no on both of those The virtualize I've virtualized PF sense mostly for lab use, but you can use it in production I'm partial to using direct hardware, but though it's an option same thing with the Arista I'm partial to using hardware, but yes, it can be virtualized You're tied to the hardware when it comes to the unify line and the 48 I put yes, but a link to how they do virtualization that way you have that information Available to you for the page they have already talked about virtualized ones and Christian lump Has a video on Sophos and virtualizing Sophos Sensual management's a big thing that comes up when you're doing this from a business standpoint Not just a home user And PF sense doesn't have anything natively the offer our solution to this is have our clients PF senses VPN back to us This allows us to get to their web interfaces, but not create any tunnels between them So there's no lateral movement that can happen from a security standpoint This is what scares me is some of the third-party ones out there Where people say let's just put SSH case in so we can have one central place to automatically manage it You're also creating one central place where someone could mass change firewalls without a second level of authentication Depending on how that's done. So something to take in consideration. There's nothing official from neckate on this The one from Arista does work in a way where it just creates a tunnel back Essentially like a proxy where it just brings you to the login page of each device and gives you the status of those devices So there's central management. It's nice Unify if you have the USG UXG via their controller the unified controller acts as the central management for multi sites on there It's a multi-tenant controller. So you can have many clients in there if you want Yes via the UI Site so each one of the dream machines has or even the dream wall they run the unified controller software within it and Then you can tie it to unifies portal, which just brings you to the page on there through central management through the unified system So they do have a way of handling that 48 has their central management system Sophos does and so does Maraki web interfaces. Yes for PF sense and Tangle via the unified controller Even though it's built into the dream machine series It's still the unified controller software running with inside of it So you're not exactly interacting with the firewall natively you do it through the unified software 48 yes has System so does Sophos and Maraki is pretty much via their site. There's very basic things you can do on a Maraki You don't really can do any advanced configurations I think it just has some troubleshooting things you can do when you get to the web interface of a Maraki firewall It's designed really be managed to their site licensing fees PF sense comes in community edition and plus the community edition is free the open source edition the Plus edition can be registered for free for home users and lab use So there's not actually any license fees But you can also buy support packages if you want when you're running it on your own hardware if you're by neck-eat hardware There's no license fee hence a little asterisk there So if you buy any of the neck-eat appliances you get the PF sense plus edition and a limited amount of support And there's no license fees ever. It's perpetual. There's no renewals on this Arista they're a little bit more mixed. That's why I said some features This is a link that takes you to a comparison chart to what you get for free versus what requires Extra licensing paid licensing versus just free registration because you do have to do some registration if you want to use the entangle It's not just download and go. There's I believe a registration page. You have to set up on there No license or registration is tied to the hardware Technically to make any of the firewall functions work 48. Yes, they definitely have licenses Sofos has a free for home edition and Maraki is not just licensed their license And I believe it just stops working when there's no licenses They're they don't have no home or free edition that I'm aware of maybe they do but I didn't see it when I was looking They do have some basic models and you can get some like special reseller extra licenses I think once you are a registered reseller, but I'm not gonna get too off topic on now Operating systems PF sense is gonna be based on free BSD currently free BSD 14 Then we have Linux and I put Linux on all these but technically they're very custom versions of Linux They're not like Linux and then they loaded some piece of software on top to make a firewall But they're at least Linux based at the underlying OS Supports high availability. Yes, and yes on the Arista and on the PF sense No, and no on either model of these. I know it's been in the coming in the future But I don't know when that future is maybe you're watching it when they actually release this But that's not a feature that they offer is a full HA or one firewall can fail over to another Yes on these ones here BGP OSPF there's actually quite a bit of features around this with the PF senses and as one of the packages they have to Control this But this is where sometimes you may have a little bit of nuance. You have this in PF sense. You have this in Arista It's limited what you can do in Maraki. I forget what the limitations are yet to do some digging to Figure out because it may change it from model to model as I was told 48 yes and so forth says yes But this is where you can start to say, okay, but does it do the exact way? I want it to or the full features that was where we'll say yes It has it but the details are going to be dig into it if you have a BGP use case dig into it first SD-WAN there is no SD-WAN option for PF sense Arista on Tangle has an SD-WAN option that integrates into on Tangle Nothing I'm aware of for the unify line 48 has their own integrates with their firewall SD-WAN options So does Sophos and so does Maraki Open VPN PF sense uses normal open VPN. It's interoperable with standard open VPN clients And for the most part untangle is as well a wrist untangle can do open VPN They have I've done videos on this where I've talked about their implementation. I actually liked it Yes They actually have the full version of open VPN that you can use a rolling to TPN versus it's done differently in PF sense So nuance kind of matters to some people of if you're using TOTP authentication With those they implement it differently, but it is at least still open VPN very basic open VPN and it Seems to be that they've included more open VPN I've not done a lot of testing on here and it's only EA if you use the pro This is where unify can be very tricky to do this because the unify themselves do not list nice charts for features Across their firewalls that are easily found and even Cody from Actile Comp Network She does a lot of videos on here and being Cody we're talking and as Cody said You just have to take and read the notes for each version release and see what applies to your firewall And he's not wrong the unified does not do a great job of Nuance to figure out what features are supported and right now It's only on the EA as of April 1st of 2023 when I did my testing on this 48 does not have open VPN in there So post has a their own custom implementation of it and rocky does not either IP sec Yes, that is a paid feature on a Rista. So that's back to the licensing fees. You can only get it with the paid version Yes, they both have IP sec on the unified line 48 all the way across IP sec pretty popular Wireguard yes on pfSense paid on a Rissa Tangle. No, but yes, but yes, but is the way I'd put it on here Their wire guard implantation is a little bit confusing and I think it's also on their normal implementation They have their teleport version of it, which is designed to tie to phones But it's a little confusing and I don't it's not they're getting towards I know at some point when they hit full release here It's supposed to be like a more normal wire guard implementation So make sure it fits your use case if you're looking into one of these and you have a desire to use wire guard 48 does not neither does so post a muraki L2 TP once again paid feature. They do have this on the unifies Please note there are certain limitations with L2 TP is why it's not the most popular VPN But it is I should say not the most popular is a popular VPN But can cause challenges when you have two users behind the same IP address This is something that where you try to get a couple people VP and in you'll go wait There's some conflicts as L2 TP doesn't like when people come from the same IP address That is a problem you run into With home users and especially if they're in the same area provided by CGNAT for example can break things This is one that is a yes only for PF sense and someone may think I'm biased for putting honor But there's no denying tail scales popularity. It is grown Immensely, I know zero-tier is kind of a competing product That's I could have listed on here But it would just be no across the board zero-tier is not in any of these But tail scale with a lot of commercial backers and a really good product has become really popular I love that they integrated into PF sense. That's actually why PF sense chose that I know there's been request centers third-party ways to get zero-tier in PF sense, but Nonetheless, I've done videos on both zero-tier and tail scale. I think they're both great solutions It's just nice and I wanted to throw it out there that yes They are integrated in here intrusion detection intrusion prevention systems with PF sense This is going to be a manual process. You can load seracada to snort You can turn on all the rules you're going to get some false positives You're going to have to do some investigating how that goes for you This is something I've done a video on for tuning seracada But just so you know, it's not like just set and forget it and it just works And it's very automated with everything like the rule updates are automated You can buy pro rules and put them in there But it's still kind of on you to determine the threat investigation They've filtered the rules a little bit differently when you get them from arista on tingle So there's is I would say a little bit smoother because it's part of the feed you're getting from arista But there still can be some false positives depending on rule settings on there It's very basic inside the unify and usg series So they have it, but it's kind of basic Also, some people I'm a little fuzzy on exactly what speed penalties there are for turning it on This is going to be very provided based on the hardware you have With both of these ones here because you're providing your hardware 48 will have as well Meraki specs on turning it on and what the thoroughput would be with those features And sofos once again, if you're running on your own hardware Or if you buy the sofos boxes, you know, you're going to get varied amounts of speed hitting on that So worth noting I put content filtering and this is where people tell me but yes, it does have it I would not use it. We do not plan on using it Or this is why I don't do videos on how to set up squid or anything like that I think it's a headache. I think it's complicated to manage. I don't find it simple It always seems to have lots of bugs in it and requires too much management time So we just don't use it We use end point filtering for those of you wondering a tool called Zeros got a video on my channel for it Z or us Untangle does a pretty good job of it. They can do basic dpi or full ssl inspection But when it gets over here to like the usg, they're just doing dpi no ssl So there's no certificates to install. They do basic dpi inspection and That's about it The 40 gate sofos and muraki all have where they can do More advanced levels of it. They can get deeper into some of the application level filtering, for example PF blocker is probably really popular because you can use things like piehole feeds into it You can still run a piehole with pf sense or any of these firewalls if you want But with pf blocker you can choose the feeds. You can have it all in one device I don't use anything wrong with piehole project, but out of convenience If that's something you want to run having that built in is nice There's some dns level filtering you can do in there. It's really basic what dns filtering you can do in the usg udm pro 48 sofoso have it But I don't think you can put your own custom feeds in any of these models that i'm aware of could be wrong about that I didn't put an asterisk on it, but I know they have a level of dns filtering I just don't know if you can do custom feeds you can do custom lists Like you put things in there, but not the same as putting like a feed an active feed like you can in pf blocker Goip traffic filtering that is also facilitated through pf blocker. It's a feature in there There's a beta feature for this in the unify line Um, then we have 48. Yes. Yes, and sofoso. I'll have goip option Traffic shaping traffic shaping there is a lot of advanced options inside of pf sense for this same thing with the rest on Tangle it's a more of a basic honor off in the unit by line They don't have I don't believe any type of granular control. Maybe in the future I'll have something better on that. I but I would list it as there but basic 48 sofos morocchi. I'll have this Multi-wan support. It's always weird that this is a paid version of a rest on tangle needed for this But hey, if you want to use dual wan and do different load balancer between them That is a paid option for them. Of course in pf sense. I got videos on this It's Hard to put this without just an asterisk It's very basic the control levels you have over the usg and a udm series on this I wouldn't call it wonderful. I would call it usable, but you know They've gotten a little bit better over time with it, but it's still not as granular controlled As you have in like pf sense or even the other firewalls like 48 sofos and morocchi SNMP monitoring yes across the board that can be turned on all of them Active directory integration. Yes radius or ldap paid feature here They actually have a really nice integrator for this and the reason you have active directory integration Is usually going to be because you want to take your vpn authentication and your active directory users and pair those up So you're not managing separate lists of the radius both with the unify line and yes integration over here Policy routing lots of policy routing options very advanced ones within your pf sense. Yes within the entangle Yes within the usg But this is where it gets money in specifically like wire guard last I checked there was still no ability to do wire guard policy routing which is Kind of could be a challenge if you're trying to set up a wire guard site to site And you're like, but I can't do a policy route for that for a site to site So once again, you got to dive into the details of it But for ipsec for example, they do offer the ability to do policy routing with some of the ipsec on there With 40 gate and sofos they have it and I didn't put no wire guard here because well wire guard doesn't support it on the uxg So it's just yes But back over here to firewall rule policies based on active directory This is a fairly advanced feature but enough people asked on twitter that said throw it on there There's no way i'm aware of doing this at all in pf sense So if that's you know, you have ad objects and you have users And you want to apply based on the user based on some level of authentication a firewall rule policy based on that active directory object I don't know of any way to do that in entangle But you can do that in the uh arista no integration with usg But the rest of them do have this feature as well 48 sofas maraki hc proxy I bring this up Not to say that pf sense is cool It has it but also it actually is used very popular Especially not just homelab people but there's sometimes services that you don't want to have to deal with certificates for You can do this with the let's encrypt certificates which are listed below tie to ht proxy use it locally So you're not exposing it to the world, but you can if you want I've done videos on this using this to Have different local services managed without any certificates errors Throughout a internal network ht proxies are really convenient way to do that So I definitely think it's worth having in there Obviously this is no across the board with an interesting exception Thanks christian lempa for pointing this out that there's a web application type firewall So there's extra levels of traffic inspection you can do with their Built-in web location firewall for services coming from the external going through their WAF to come in there Technically I see no one 48 and someone may see but tom 48 sells a product that does that Yeah, it's just not their firewall It will integrate with it. So I almost put no asterisks, but just so you know firewall The firewall does not natively have something built in but yes You can buy another service from maraki and technically maraki is owned by sysco And there's other services you could buy to put in front of it But we're trying to keep this at least somewhat scoped Let's encrypt certificates. No I don't think there's any way I seen to do them in the iris untangle If someone has a document I overlooked let me know But without the proxy and I don't know if that really matters And usg nothing in there And matter of fact, I don't even know why unify has never integrated the Controller software either into let's encrypt seems like it would be really good to do I believe they even sponsor some of the let's encrypt things. Maybe there's a future roadmap or that is well integrated I hope so but today um, that's not in there For you can do this for the firewall I didn't see an ability to do it for anything else and no on the sofos or the maraki For those certificates, but the biggest reason you want to use them is you're going to be for h a proxy So I kind of tied those things next to each other together Captive portal might be another reason to use less encrypt Certificates, but yes, you can do this with pf since you can do the rista the unify controller software does the portal So whether you have that software Running on a udm pro or as a separate service on a cloud key or something self-hosted It's going to the controller. Technically not the firewall. So I made that note in there 48 yes sofos. Yes maraki. Yes traffic monitoring and reporting I really like n-top ng. It's great. It gives you a lot of great details on there. It's not a bad tool It's not going to be as advanced as I think the Arista might have a little bit better But this is also where you can get to uh be splitting hairs for what you really want How granders need to be is it adequate or do you want something That gives you like this user went to this website and summary reports the uh, Arista reports are nice for that Unify and the lack of good time slicing means yes, it gives you information But it's a little bit harder to digest. So I'll put that on there that it has it the graphs look really well presented But the granularity of them not being good makes them a little bit harder to read But the it's checking the box that it has them a 48 sofos and maraki all are yes Now one thing missing from that feature's list was vlan support the answer is yes across the board So I added it to the list. So if you click that chart, you're going to have it on that list Next i'm just here to provide some data points. I'm not here to be your decision point I'm not saying these are the only firewalls you can use or you must use pf sense because I have a lot of videos on it Ultimately, I just wanted to provide some insight to things we've done things We've worked with things some of my friends have worked with and as I said christian lumpa really likes sofo sex g I have a few it Manager friends that really like it and so I included on the list even though I don't directly use it But hey, uh, he's got a video on it so you can dive into it And I know he said he's creating some more videos on it as a topic So depending on the future when you're watching this there may be more videos linked Over to his channel on that Unify is one more to bring up because I think unify is a good moving target for improvement They keep getting better They've somewhat invalidated my video about the weird way unify does vpns because they're getting better proper vpn support And maybe We're watching this video or you're watching this video in the future where unify has made a nice chart So I don't have to chase down like release notes to figure out if they're implementing the vpn in a normal way Or they've tied it to some other service like uid to be able to get it to work As I said, I'm hoping in the future they just do it normal and make a nice chart So we understand what support on which products exist But nonetheless that can make unify a little bit challenging for routing I think they work great like just for basic routing functions But the vpn is awesome where people get hung up hoping it will do something and finding out unify has done it Slightly different. This is always that nuance challenge you have with any of these firewalls is Having support for a feature versus how they implemented and how easy that feature to use can be Varying a bit. Nonetheless, I love hearing from you. Leave your thoughts and comments down below as to which firewalls You like which one's your favorite? I'm always curious. What else is in the market? I try to keep an open mind looking at different things Head over to my forums for a more in-depth discussion on this topic or any way anytime you want to engage with me And thanks