The SIP ALG in the Juniper SRXs is definitely one of the best I’ve come across.
I defaulted to turning it off based on my previous experiences with SIP ALGs and NAT however it became apparent that it actually worked really well and I ended up defaulting it to on. - Tim > On 6 May 2016, at 3:37 AM, Andrew Kirch <trel...@trelane.net> wrote: > > Both the Juniper SRX, and the Mikrotik will work. > > The problem isn't firewalling, it's NAT. NAT is evil. > > Perhaps having enough IP Addresses would be a better solution? > https://www.youtube.com/watch?v=v26BAlfWBm8 > > On Thu, May 5, 2016 at 3:09 PM, Matt Freitag <mlfre...@mtu.edu> wrote: > >> I'm a huge fan of Juniper's SRX line. I use all the features you point out >> at home on my SRX210, although that product is end-of-life. A refurbished >> SRX220 lists on Amazon for about $375, and a new one for $700. Naturally >> support is extra, but I'm not sure how much. >> >> I haven't used it myself but I have seen the packet capture in action. >> It'll save any traffic you want right out to a pcap file too. I also like >> "show security flow session" - shows you the source, destination, ports, >> how long a session has been going, and number of packets and number of >> bytes transferred. >> >> Matt Freitag >> Network Engineer I >> Information Technology >> Michigan Technological University >> (906) 487-3696 >> http://www.mtu.edu/ >> http://www.it.mtu.edu/ >> >> >> -----Original Message----- >> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Nick Ellermann >> Sent: Thursday, May 5, 2016 2:51 PM >> To: Mel Beckman <m...@beckman.org> >> Cc: nanog@nanog.org >> Subject: RE: sub $500-750 CPE firewall for voip-centric application >> >> Your exactly right, Mel. Dell has really turned the Sonicwall platform >> around in the past few year. We dropped it a year or two before Dell took >> them over. Back then Sonicwall was full of issues and lacked important >> features that our enterprise customers required. If you have budget, Palo >> Alto is something to look at as well, but don't overlook Sonicwall and >> FortiGate. >> >> >> Sincerely, >> Nick Ellermann - CTO & VP Cloud Services BroadAspect >> >> E: nellerm...@broadaspect.com >> P: 703-297-4639 >> F: 703-996-4443 >> >> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail >> and its attachments from all computers. >> >> >> -----Original Message----- >> From: Mel Beckman [mailto:m...@beckman.org] >> Sent: Thursday, May 05, 2016 2:49 PM >> To: Nick Ellermann <nellerm...@broadaspect.com> >> Cc: Ken Chase <m...@sizone.org>; nanog@nanog.org >> Subject: Re: sub $500-750 CPE firewall for voip-centric application >> >> I install and support Cisco ASA, Dell SonicWall, Fortigate, and PaloAlto >> firewalls. The best SMB devices are definitely SonicWall and Fortigate. >> SonicWalls are easier to configure, but have fewer features. Fortigate has >> many knobs and dials and a very powerful virtual router facility that can >> do amazing things. The two vendors have equivalent support in my opinion, >> although Fortigate tends to be more personal (Dell is big and you get >> random techs). >> >> Cisco ASA is overpriced and under-featured. Cisco-only shops like them, >> but mostly I think because they're Cisco-only. PaloAlto is expensive for >> what you get. Functionally they are on the same level as Fortigate, with a >> slightly more elegant GUI. But Fortigate can be configured via a USB >> cable, which is a huge advantage in the field. Legacy RS-232 serial ports >> are error-prone and slow. >> >> -mel >> >>> On May 5, 2016, at 11:39 AM, Nick Ellermann <nellerm...@broadaspect.com> >> wrote: >>> >>> We have a lot of luck for smaller VOIP customers having all of their >> services run through a FortiGate 60D, or higher models. 60D is our go to >> solution for small enterprise. However, if we are the network carrier for >> a particular customer and they have a voip deployment of more than about >> 15 phones, then we deploy a dedicated voice edge gateway, which is more >> about voice support and handset management than anything. You do need to >> disable a couple of things on the FortiGate such as SIP Session Helper and >> ALG. We never have voice termination, origination or call quality issues >> because of the firewall. >>> FortiGate has a lot of advanced features as well as fine tuning and >> adjustment capabilities for the network engineering type and is still easy >> enough for our entry level techs to support. Most of our customers have >> heavy VPN requirements and FortiGates have great IPsec performance. We >> leverage a lot of the network security features and have built a >> successful managed firewall service with good monitoring and analytics >> using a third-party monitoring platform and Fortinet's FortiAnaylzer >> platform. >>> >>> Worth looking at, if you haven't already. If you want to private message >> me, happy to give more info. >>> >>> >>> Sincerely, >>> Nick Ellermann - CTO & VP Cloud Services BroadAspect >>> >>> E: nellerm...@broadaspect.com >>> P: 703-297-4639 >>> F: 703-996-4443 >>> >>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY >> MATERIAL and is thus for use only by the intended recipient. If you >> received this in error, please contact the sender and delete the e-mail >> and its attachments from all computers. >>> >>> >>> -----Original Message----- >>> From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase >>> Sent: Thursday, May 05, 2016 1:54 PM >>> To: nanog@nanog.org >>> Subject: sub $500-750 CPE firewall for voip-centric application >>> >>> Looking around at different SMB firewalls to standardize on so we can >> start training up our level 2/3 techs instead of dealing with a mess of >> different vendors at cust premises. >>> >>> I've run into a few firewalls that were not sip or 323 friendly however, >> wondering what your experiences are. Need something cheap enough >> (certainly <$1k, <$500-750 better) that we are comfortable telling >> endpoints to toss current gear/buy additional gear. >>> >>> Basic firewalling of course is covered, but also need port range >> forwarding (not available until later ASA versions for eg was an issue), >> QoS (port/flow based as well as possibly actually talking some real QoS >> protocols) and VPN capabilities (not sure if many do without #seats >> licensing schemes which get irritating to clients). >>> >>> We'd like a bit of diagnostic capability (say tcpdump or the like, via >>> shell >>> preferred) - I realize a PFsense unit would be great, but might not >>> have enough brand name recognition to make the master client happy >>> plopping down as a CPE at end client sites. (I know, "there's only one >>> brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get >>> irritating for end customers.) >>> >>> /kc >>> -- >>> Ken Chase - Guelph Canada >>