A Firewall is not something you plug in and forget about. It needs to be monitored and managed.
When purchasing a Firewall, you should consider:
1.
Size of the network
2.
Speed of the Internet
3.
Number of potential VPNs
4.
General traffic flow
5.
Line of business applications
Firewall Types
Traditional OSI L4 (filter traffic by port number)
NGFW OSI L7 (filter traffic by application)
Unified Threat Management (UTM)
Next Gen Firewall (IDS/IPS, URL and spam filter, content and malware inspection)
L3 Edge/Border Router (NAT, routing protocols)
Site-to-Site and Mobile VPN
Captive Portal
DNS/DHCP Server
Load Balancing, Traffic Shaping
HA Dual WAN
UTM Vendors
1.
Palo Alto - Palo Alto Networks is known for its robust and advanced cybersecurity solutions, particularly in the next-generation firewall (NGFW) category.
2.
Cisco Meraki - Meraki is known for its cloud-managed networking and security appliances. It's a subsidiary of Cisco, offering cloud-based solutions for network security.
3.
Fortinet - Fortinet is recognized for its strong network security solutions, including firewalls, and has a significant market presence.
4.
Sophos - Sophos offers a range of security products, including firewall solutions, and has a significant customer base.
5.
SonicWall - SonicWall is known for its firewall and network security products, although it may be considered somewhat smaller compared to the companies listed above.
6.
Netgate - Netgate is the company behind pfSense, an open-source firewall and router platform. While it's highly regarded for certain use cases, it may not be as widely recognized as the larger vendors in this list.
7.
Ubiquiti - Ubiquiti UniFi is primarily known for its wireless and networking equipment. While they may offer basic security features, they are not as prominent in the firewall and security market as others on this list.
VLAN Office Scheme
10.0.1.1/24 - Core (Devices) 10.0.2.1/24 - Staff 10.0.3.1/24 - VoIP 10.0.4.1/24 - CCTV 10.0.5.1/24 - IoT 10.0.6.1/24 - Guest Small Office (1-10 employees) Medium Office (11-50 employees) Big Office (51-200 employees) Large Corporation (201-1000 employees)
Bandwidth Calculator
Virtual Private Network VPN

SSL/TLS for user access

Cisco AnyConnect
Fortinet FortiClient
UI WiFiman (Teleport VPN)
OpenVPN

IPSec tunnels site-to-site access (SD-WAN)

pfSense site-to-site
SD-WAN uses IPsec under the hood:
Palo Alto Networks PA-Series
Cisco Meraki MX Series
Fortinet FortiGate F,G series + FortiManager
Ubiquiti UniFi Site Magic
Modern VPN (WireGuard)
WireGuard Tunnel (pfSense)
WireGuard Tunnel (pfSense) description listen port 51820 interface keys (private, public) preshared key Interface OPT1 (change name) Static IPv4 10.0.1.1/24 Firewall Rule (WGVPN) Action: Pass Protocol: Any Description: WireGuard Allow Firewall Rule (WAN) Action: Pass Protocol: UDP Destination Port Range: From 51820 to 51820 Description: WireGuard Allow Peers Tunnel: tun_wg0(WireGuard) Description: WindowsPC (peer hostname) Public Key: ... (peer pk) Pre-shared Key: ... (extra security) Allowed IP: 10.0.1.10/32 (peer assigned IP) ## WireGuard Clients (Peers) New Tunnel: pfSense5720 Public key: ... (autogenerated) [Interface] PrivateKey = ... (autogenerated) Address = 10.0.1.10/24 DNS = 1.1.1.1, 8.8.8.8 [Peer] PublicKey = ... (pfSense tunnel) PreSharedKey = ... (pfSense peer) AllowedIPs = 10.0.1.0/24, 10.0.0.0/24 (Split Tunnel) AllowedIPs = 0.0.0.0/0 (Full Tunnel) Endpoint = Public_IP:51820 or DDNSHostname:51820

Enterprise Mesh/Overlay VPN (Tailscale)

Encryption
Open Source
Self Hosting
Client Support
Tailscale
WireGuard
Client only
3rd party (Headscale)
Windows, macOS, Linux, iOS, Android, Synology, pfsense
Netbird
WireGuard
Client, Server
Yes (apparently)
Windows, macOS, Linux, iOS
Netmaker
WireGuard
Everything
Kubernetes based
Windows, macOS, Linux
Tailscale Linux
$ curl -fsSL https://tailscale.com/install.sh | sh # Install Tailscale $ sudo tailscale up # Run and Login to Tailscale $ tailscale --version $ tailscale status $ sudo tailscale up $ sudo tailscale down $ sudo tailscale login $ sudo tailscale logout $ sudo systemctl restart tailscaled

Zero Trust Network Access ZTNA

Encryption
Open Source
Self Hosting
Client Support
Zerotier
Custom Protocol
Client only
Yes (no web UI)
Windows, macOS, Linux, iOS, Android, Synology
Twingate
Unspecified
no
no
Windows, macOS, Linux, iOS, Android, ChromeOS
Cloudflare Tunnels
Secure Access Service Edge SASE
(Centralized cloud management)
Software-Defined Wide Area Network SD-WAN
Secure Web Gateway SWG
Zero-Trust Network Access ZTNA
Cloud Access Security Broker CASB
Firewall as a Service FWaaS
Security Service Edge SSE: (CASB: SWG + ZTNA) (without SD-WAN)
Single sign-on SSO (unified ID provider)
SD-WAN, SASE Providers
Cisco Meraki
Fortinet FortiGate
FortiGate GUI
# (Local device) https://<FortiGate_IP> (default: https://192.168.1.99)
FortiLink
Designate FortiLink ports on FortiGate to manage FortiSwitch and FortiAP. A single management/control link between the FortiGate and FortiSwitch/FortiAP, merging everything into one system.
FortiCloud
Includes: FortiGate Cloud - FortiGate GUI in the cloud + cloud-based log storage and visibility FortiAnalyzer Cloud FortiManager Cloud - Central management, multi-site
FortiManager
Enterprise-grade centralized management system - Manage multiple FortiGates, FortiSwitches, and FortiAPs across multiple sites. On-prem or as a cloud service (FortiManager Cloud)
Netgate pfSense
IPSec VPN:
Ubiquiti UniFi
Magic Site-to-Site:
Syslog and SNMP (Monitoring)
Syslog (System Logging Protocol): Se centra en la mensajería de eventos y el registro histórico. Es ideal para la solución de problemas, auditorías e investigaciones de seguridad (SIEM)
SNMP (Simple Network Management Protocol): Se centra en la monitorización del rendimiento, la salud y la gestión de los dispositivos de red. Se utiliza para recopilar métricas en tiempo real (uso de CPU, ancho de banda, memoria)
Ejemplo Práctico: Imagina que el disco duro de un servidor se llena:
1.
Alerta SNMP (Trap): El agente SNMP del servidor envía una alerta inmediata (Trap) al Gestor SNMP indicando que el "Nivel de almacenamiento ha superado el 95%". Esto activa una alarma en el dashboard.
2.
Detalle Syslog: Los mensajes Syslog, almacenados en el servidor central, proporcionan el contexto detallado del log del sistema que causó la alerta, como: "El proceso X falló al escribir en el disco porque el sistema de archivos está lleno".
La Trap SNMP te dice "hay un problema de almacenamiento AHORA", mientras que los Logs Syslog te dicen "esto es exactamente por qué está ocurriendo el problema"
Soluciones:
Syslog + SNMP: SolarWinds, ManageEngine OpManager, Paessler PRTG y Checkmk
Wazuh (XDR/SIEM): Análisis de Logs (Syslog), Seguridad, Detección de intrusiones, Cumplimiento. Recopilar todos los logs para auditoría y seguridad (¿quién hizo qué y cuándo?)
Zabbix (NMS): Métricas de Rendimiento (SNMP), Disponibilidad, Gráficas, Monitoreo de Infraestructura. Recopilar métricas para el rendimiento y la capacidad (¿qué tan cargado está el dispositivo?)
Old WAN
Leased line (Old and expensive ATM, Frame relay)
T1 - 1.54Mbps
T3 - 43.736Mbps
E1 - 2.048Mbps
E3 - 34.368Mbps
MPLS Multi Protocol Label Switching (Virtual Private Network in L2.5 Layer on the Carrier Network Provider)