On 23-11-2011 19:34, Ugo Bellavance wrote: > Hi, > > We're thinking about replacing our CheckPoint Firewall-1 by pfSense. We > are using only those features on Firewall-1 (R65): > > - Security (default deny on everything)
Delete the LAN -> any rule on the LAN interface and you are good to go. The rest is default deny. > - NAT (inbound (for internet-facing hosts) and outbound (selective, > workstations go out through a proxy, other selected hosts are NAT'd > based on destination host and port(s)) Well, you can assign multiple VIPs on the WAN and create manual outbound NAT rules to tie different LAN hosts to different external addresses. This aside from things like 1:1 NAT. > - We do have some security rules defined in their SmartDefense, but it > is a nightmare to configure without having many false positives. I'm > pretty sure we could go without or simply add Snort to pfSense Unfamiliar with that. I scrapped a watchguard Firebox years ago before UTM was a common thing. > We had a project of roaming users VPN but it's on the ice right now. We Use OpenVPN. Install the client exporter package, it includes a windows client and config files for 2 Macintosh clients. Do you need the AD auth as well? I am using it against a radius server though. > are using SSH tunnels to connect home user's PC to the corporate network > and we will need a solution for the few corporate laptops to connect to > the corporate network. However, I guess that with all the options > available in pfSense regarding VPN, I don't think this would be a problem. IPsec vpns are commonly used for site-site tunnels. OpenVPN tunnels can work too. > - Our Firewall-1 version is not supported anymore so we have to upgrade > anyway +2 Watchguard Fireboxes. > - Service contracts are a lot cheaper Is it a service contract if they take 8 months to fix a issue? > - We would have to pay extra $$ for a redundant setup (CARP pfSense is > free) Getting gigabit, we have new shiny model you can buy for some randomly generated 5 figure price. > - Server load balancing can be used for simple HA setups Inbound as well as outbound if you have multiwan. > - DHCP server on the firewall (no need for DHCP relay) These can be made redundant too, that's what I have here for the past few years. > - Other interesting packages OpenVPN client exporter is very popular. > We are thinking about running a redundant (CARP) setup with one pfSense > on our VMWare cluster, and one on a physical, separate machine. Don't. Either do both in a VM or both physical. I tried and it burned. For ~1k euro you get a Dell R310 with 6 gig nics. > 1- NAT Reflexion - We don't have a split-DNS setup. CheckPoint does > seem to manage NAT Reflexion perfectly. For 1:1 NAT you need to add port forwards on top of your 1:1 and it will work. > 2- Ease to migrate the configuration to pfSense - I would set a pfSense > VM in parallel and start migrating all the rules manually, but I'm > scared about missing some or seeing a situation where the Firewall-1 can > do it and not pfSense. You will need to write one to convert various bits of config to the pfSense XML format. > 3- Backups. Are automated backups (of the config, at least) possible > even w/o a service contract? Some use SSH/rsync with public keys. If you have a support contract you can use the ACB package. It comes with the subscription. Regards, Seth _______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
