(Sorry for top-posting) Thanks all for all your comments!
Ugo On 2011-11-23 13:34, Ugo Bellavance wrote:
Hi, We're thinking about replacing our CheckPoint Firewall-1 by pfSense. We are using only those features on Firewall-1 (R65): - Security (default deny on everything) - NAT (inbound (for internet-facing hosts) and outbound (selective, workstations go out through a proxy, other selected hosts are NAT'd based on destination host and port(s)) - We do have some security rules defined in their SmartDefense, but it is a nightmare to configure without having many false positives. I'm pretty sure we could go without or simply add Snort to pfSense We had a project of roaming users VPN but it's on the ice right now. We are using SSH tunnels to connect home user's PC to the corporate network and we will need a solution for the few corporate laptops to connect to the corporate network. However, I guess that with all the options available in pfSense regarding VPN, I don't think this would be a problem. Reasons to switch to pfSense: - Our Firewall-1 version is not supported anymore so we have to upgrade anyway - Service contracts are a lot cheaper - We would have to pay extra $$ for a redundant setup (CARP pfSense is free) - It is a platform that I know and I like open-source software - It is "officially supported" on vmware (Well, I guess, with a service contract) - Server load balancing can be used for simple HA setups - DHCP server on the firewall (no need for DHCP relay) - Other interesting packages We are thinking about running a redundant (CARP) setup with one pfSense on our VMWare cluster, and one on a physical, separate machine. Concerns: 1- NAT Reflexion - We don't have a split-DNS setup. CheckPoint does seem to manage NAT Reflexion perfectly. 2- Ease to migrate the configuration to pfSense - I would set a pfSense VM in parallel and start migrating all the rules manually, but I'm scared about missing some or seeing a situation where the Firewall-1 can do it and not pfSense. 3- Backups. Are automated backups (of the config, at least) possible even w/o a service contract? Can people share their experience with this kind of scenario? Don't hesitate if you need more info. Thanks, Ugo
_______________________________________________ List mailing list [email protected] http://lists.pfsense.org/mailman/listinfo/list
