 Tom here from Warner Systems and we're going to compare PF Sense and Unify Firewalls here on July 29th of 2023. I bring up the date because yes I've been critical for a long time of the Unify Firewalls and people ask me, Tom, since they've added new features here, have you changed your mind? And the latest feature they've come up with is a Magic Site to Site as they call it. And it's not magic, but it's definitely some really clever programming. I think this is a really neat feature. I think this is a good time to compare because of the changes that have been made, these two firewalls together, because they're arguably the most popular firewalls I see in the home lab and the small business market and the managed services market, IT admins really like these, both of these products, and they do have their place. But despite us installing thousands and thousands of Unify devices in the past, I did not include firewalls in the devices that we would offer to clients because they were very well lacking. And that big lacking came around the way their features worked in terms of VPN. I was pretty critical for a long time when they had forced registrations and their VPN issues. And now that they've kind of come all the way back around here in July of 2023 to having a normal setup for a firewall with a traditional style VPN that doesn't require you to attach to the cloud, with the exception of the Site to Site 1, the Magic Site to Site, but I will walk you through how it works. Now, I have extensive knowledge, and I should say we as a company have extensive knowledge on both of these products because of the volume at which we deploy them. If you'd like to hires for consulting, head over to laurancesystems.com, click on that hires button, and we will do consulting on both Unify, PF Sense, or even a Unify PF Sense setup, which is actually a really common setup that we run into. All right, now let's jump over to this comparison. By the way, everything's going to be linked down below, including my other firewall comparison video where I talk about more firewalls than just PF Sense and Unify, but we're going to keep this narrative in scope to just those. Now, the first thing I want to do is explain PF Sense CE and Plus. I have a video where I dive deeper into details, but all the features we're going to talk about are available on both the Community Edition or the Plus Edition. The USG and UXG Pro are one line of Unify firewalls that are available. And then we have the Unify Dream Series. So you got your Dream Machine Pro, your Pro SE, I believe there's a Dream Wall, and there may be more in the future, but their Dream Series works different than their USG-UXG Series. So I had them in two different categories because that's where the feature differences are between them. Ubiquiti, the parent company that offers the Unify product line, does have other firewalls as well that are not going to be included in here because I don't really see them as a popular product anymore, the Unify's Edge series, but nonetheless, I just don't use them to know enough about them, but I don't see a lot of updates or a lot of use cases for them because their hardware is getting a little bit old, but I'm just omitting those from the list to keep this narrowed scope to the ones that are popular. Now, can you run it on your own hardware and can it be virtualized as a yes and a yes for PF Sense? And obviously not for the Unify. There's no way to, well, there's hacky ways that if you wanted to try to figure out how to build this on your own hardware, but it is not something that's even remotely supported, they don't offer an installer just to set this up on your system. Now, centralized management, this is something definitely missing from the PF Sense series. And with Unify, there's two different ways to do it. So you can manage the USG and UXU Pro via the Unify controller software, which is free. You can self host this. You can use someone like Hostify to host it. You can use their controller to host it or specifically like a cloud key. With the Unify Dream Machines, it's a little bit different. You can only manage these centrally through the cloud of their site. So you can tie several Unify Dream Machines to the Unify cloud and the controller runs within the Unify Dream Machine. That's an important distinction because you can't adopt it to your own self-hosted controller. And this is something people get mixed up on a lot, trying to figure out how to get it adopted so they can manage it through something central that's not Unify's cloud. So just something you should be very aware of if you're trying to set many of these up. The only way to manage them in group and the way to get the magic site to site VPN working that we'll talk about momentarily is with them tied to the Unify cloud because that's what does the coordination of these license fees. No, but I put an asterisk because technically you can buy support contracts for your PF Sense Plus. And if you are using it and want to have commercial support, including SLA agreements, yes, you can go with that with plus. I covered that in my PF Sense Plus video to talk about some of the different tiers levels of support you can get. Their support is really good with PF Sense. This is one of the things that makes it popular, not just in the IT sector, but even in some of the enterprise companies that use this. It's got a lot of good documentation and a lot of good support. That's something you're not going to be able to get in the same way with USGs and the UDMs, but there's no license fees, which is really what that's about. Operating system, PreBSD and these are both Linux based high availability. Yes, this is very popular feature and it's not licensed in any way. None of these features we're talking about require any type of licensing on here to activate. So you can set up an HA setup with any two PF Senses, whether it's two boxes you bought from Neckgate or two preferably similar systems that you are using to mirror and set up as an HA high availability system, not an option in either one of these. BGP OSPF. Yes, it's supported in PF Sense, not exactly supported. OSPF is used as part of the back end for the Magic VPN, but there's not something that's like exposed that you can set up and configure. VLAN support. They all support VLANs and I will say the way that USGs and UDMs that line handles it is going to be really well integrated with your Unify equipment, which is certainly one of the reasons people want to use their firewalls because if you create a VLAN inside of PF Sense, you have to create the corresponding VLANs inside of your switching equipment. And if you're doing it via the Unify controller and that controller is controlling the same switching equipment and same access points, you only have to create it once and it'll propagate. So there's definitely an advantage and this is one of the reasons people ask so much about the Unify line of firewalls because, well, that single pane of glass is really, really nice. Open VPN. Yes, with lots of extensive features and we're going to say yes, but basic. Yes, it's on the EA and the Pro, but it's also basic. It's early access, but I believe by now it might be full release. Either way, it's still basic as the way I would describe the Open VPN support. It works, it's there, but if you want to twiddle the knobs of the more advanced features, you're not going to find them in there. IPsec. Yes, they all support IPsec. WireGuard. Yes, this is built into PF Sense. I didn't see anywhere it was available on the UXG Pro, but it does support what the Magic VPN uses WireGuard and without having a USG Pro. I couldn't find it in their documentation. If someone has a link, that'd be great and I'll update this to a yes. But yes, it is in the Unify Dream Machine series that does have WireGuard. L2TP VPN. Yes, on PF Sense. Yes, across the board here. Automatic Site to Site. This is that, as they refer to it, Site Magic, which is available on the UXG and they just call it Site Magic on the UDM series. Now let's talk about this one real quick because I want to get a little bit in depth because I think this is just a really neat feature and a lot of people are probably wondering about this and is this the reason to buy one and it might be one for you. So first, what is it? Magic Site to Site VPN allows you to easily interconnect unified gateways across multiple locations with just a few clicks and I'll leave a link to this so you can read through it. It does require that you're on Unify OS 3.18 or UXG Pro 3.13, Unify OS hosts that runs network applications 7.4.15 or newer, at least one public IP address. That's a very important one there and all purchasing councils must have the same owner. That's because it ties to ubiquities cloud. So you must set up each of your devices as you, the owner in the ubiquity cloud, because that handles the coordination of it. Now let's talk about how it actually works. I'm going to run over this really quick where we have Network A and Network B. It is important that Network A and Network B and you can have more than one network on each side of this, but this is the basic explainer here. I'll leave a link to Cody's video because he's got a demo of it as well. That's a little bit more extensive, but essentially if you want Network A and Network B talking, you have each of these unified firewalls and at least one of them has to have a public IP. So if this one has a public IP and we have some random firewall and that means this firewall, this other Unify is behind a private IP, we connect both of these to the Unify Cloud portal. Once they talk to the Unify Cloud portal, it'll figure out which one of these has a public IP address and tell the ones behind the private IP address to talk to each other that way. So this firewall will reach out and connect to a WireGuard instance. This is done in a very automated way. And one of the things that Unify did clarify is that if the Unify Cloud protocol goes down, the established connections will stay. But if there's an IP address change or changes you need made to the network, until the Unify Cloud portal comes back up, you're not making those changes. That's an important thing is that it does rely on you joining and the Cloud portal being up. And of course, one more thing, and that's that the Network A and Network B are on different subnets because they wouldn't know how to route otherwise. But I do think it's really clever that these just automatically get set up. Now, while PF Sense doesn't have an automated way to do this just by checking a couple boxes and joining two PF Sense together, you can manually set them up. There are videos and tutorials on WireGuard and there's documentation in NetGate site to cover exactly how to set up WireGuard and get a site to site VPN working. It's just not dynamic and being managed by a controller. But that's why I did throw tail scale in here because tail scale is an overlay network. Automatic site to site is just automatically joining WireGuard together and figuring out how to get the routes between all the devices, tail scales and overlay network. I've got videos I dive in depth on it and tail scale is awesome for being able to not just tie firewalls together, but also tie devices to firewalls to different subnets. Overlay networks are a different way of solving the VPN problem, but a very clever and very welcome way, especially when you have different devices behind firewalls that don't allow you to have a public IP address on your firewall. So, tail scale, for example, will work without public IP addresses on different devices. They'll still be able to talk to each other. But that does require, of course, joining the tail scale coordination server to make all that work or self-hosting an instance of it yourself using something like HeadScale. IDS and IPS. Sericata or Snort are both available in PF Sense. You have very basic and under the hood, it's still Sericata available with the UXG Pro, USG, and the Unify Dream Machine line. I say basic because they just don't give you as many features. They give you all the features and fully expose these through a web interface so you can manage whichever one you choose, control what feeds are in there and how fine-tuned you'd like this to be. And they give you just a lot of bells and whistles for it, so it's a much more extensive system. But under the hood, it's actually still Sericata with the Unify line. Content filtering. It does not work well in PF Sense. I know there's the ability to do it, so I put yes, but complex. I'm probably understanding how complicated it is to run Squid and why I never use it. It's just not a feature we even want to use because it's just a headache. Basic DPI, no SSL inspection is how they do it there. So they're doing some basic deep packet inspection so they can block certain things, but you don't have full SSL unraveling and inspection. While you can do that over here in PF Sense back to it's just complicated to manage and man in the middle all of your devices to get them to go through there to get that done. So neither one of them are great for that feature. DNS filtering. PF Blocker is amazing for doing a lot of cool stuff when it comes to both DNS filtering, GOIP filtering. They've got some basic filtering options here for DNS inside of the Unify line. Traffic shaping. Very advanced. You can get granular with a ton of features with traffic shaping. You have a lot of options. There's kind of some basic on or off features, but there's no real tuning you can do to the same extent you can do it in PF Sense. So yes, it has it, but no, they're not quite the same in terms of features. Multi-WAN support. I almost wanted to put yes in advance because you can do so much with Multi-WAN on PF Sense. You have yes that you can do it, but the rules are going to be not as tunable in terms of all the thresholds and all the details. Maybe when you want things to fail over and load balance, it does have those features though. So active directory integration. Yes, radius or LDAP. Yes, via radius. Yes, via radius. So there's ways you can integrate active directory for your VPN authentication. Policy routing. Yes, yes and yes. The policy routing though, once again, PF Sense has a much more advanced feature set for that, but yes, it is supported. Firewall rule policies on active directory. None of these have it if that's a feature you really need. It's just not going to be available in any of these firewalls listed here. Reverse proxy or web application firewall. HA proxy is a feature you can turn on inside of PF Sense. I've done videos on that. It'll even handle all the certificate management and termination for all your devices and you can set it up so you can grab a wildcard cert and have it serving up search for all of your internal things without even publicly exposing them. I really like HA proxy. It just solves a lot of those little problems for dealing with it right at the firewall level and then all the granular control that will come with it. That is not something that is available in the Unify line. Let's encrypt certificates. Yes, but there's actually more than just that supported, but I said yes to let's encrypt because they're probably the most popular ones out there and you can do them via DNS inside of here. The captive portal. This is something that once again, there's a lot more features on the PF Sense one, but you do get a captive portal. So if you just have some basic captive portal needs, those will work under the Unify line as well. Traffic reporting and monitoring, very different on the way they work. N-TopNG, I've done a whole video on it. It's a pretty extensive package. It gives you a lot of granular detail. You just don't get that granular detail. So yes, it has information, but it doesn't have really nice time series information that allows you to dive deeper into the traffic so you can get a better understanding of it, but it's there as a yes. It's just a yes, but it's not the most advanced version of it. Now I hope this video gave you a better understanding of the differences between the Unify firewalls and what's offered by PF Sense and the feature differences between them. Ultimately, it comes down to what works for you. I think they're both good firewalls. I don't have any concerns about security problems from either one of these companies. It really just comes down to the features. And because we do a lot of consulting, we get people who want us to make the firewall do something it wouldn't do. And this is why starting with a list of features before you buy the firewall and doing some research on them helps make a more informed decision through you know it'll fit your needs. And that's really what this is all about is what works for you. By the way, leave some comments and let me know which one works for you and what context you're using it is in your home, your lab, your business, maybe you're a IT manager and using this at clients. Let me know. I love hearing from you. Love hearing your thoughts on all of this or if you just hate all of these firewalls and you like to use something different, I wouldn't mind hearing that too. It's always, you know, fun to engage with the community on there. If you want to discuss this further, forums.LaurenSystems.com is a great place where you can interact with me on this and other videos. And if you want to see more content from this channel, like and subscribe. It is greatly appreciated and thank you very much. See you next time.