Firewall Appliances

Home Forums Cloud Computing Microsoft Azure Firewall Appliances

This topic contains 5 replies, has 2 voices, and was last updated by JeremyW JeremyW 5 months, 2 weeks ago.

Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • Avatar
    Aidan Finn
    Participant
    #614311

    I’ve been doing a lot of working in Azure networking over the last month. A big topic has been firewall “network virtualization appliances” (NVAs) – Linux virtual machines that are firewall appliances. It seems to me that there are three tiers of product in the Marketplace:

    • Does not support any clustering (least favorable)
    • Supports active/passive clustering, but not active/active clustering or scale-out
    • Support active/active clustering and scale-out (most favorable)

    The various big names in firewalling are spread across those 3 categories. Their documentation also ranges from “it sucks donkey b***s” (WatchGuard & Cisco) to awesome and should be must reading even if not working with their product (Palo Alto).

    So far I’ve found:

    • Cisco ASAv: single node only
    • Check Point CloudGuard:
    • Palo Alto VM-Series: active/active
    • WatchGuard Firebox Cloud: single node only
    • Barracuda CloudGen Firewall: active/passive

    What have you found? Have you found any more info in addition to the above?

    FYI: Azure Firewall is a platform service that doesn’t have the concept of nodes or instances – it’s highly available and scalable based on consumption without you doing anything. However, it does not offer the L7 security features that a firewall with a security bundle can offer.

    JeremyW
    JeremyW
    Moderator
    #614419

    I messed around with the Watchguard a tiny bit. My clients use a lot of Watchguard on-prem. So far the single node and throughput wouldn’t be an issue for the deployments I manage. But I have yet had the need to use anything yet as users are looping through their offices to connect to resources. We’ll most likely be moving to a more direct connection in the future. I’m hoping Watchguard will improve on their capabilities and documentation. :-)

    Avatar
    Aidan Finn
    Participant
    #614422

    @jeremyw I worked with a WatchGuard distributor until the recent Christmas break. I tried out their Azure appliance but, as you noted, their documentation was very weak. I did have a call with some of their product group in Seattle about it and some improvements they should make to the VNet design. If you know what to do, you can re-engineer their deployment for front-end and back-end subnets, with corrected user-defined routing, and place VMs into other subnets.

    In the small/medium business world, it is hard to justify the cost of a virtual firewall appliance in Azure. That was my market before I changed jobs. Without diffing too deep, I cannot see too much that the NVAs are offering in L7. Some of them, like WatchGuard, offer a lot in their physical appliances when you add the security licensing bundle. But without that stuff, are they any better than a network security group when deployed in Azure?

    JeremyW
    JeremyW
    Moderator
    #614426

    “But without that stuff, are they any better than a network security group when deployed in Azure?”

    I would say probably no. ;-) The built-in proxies that don’t need a subscription can verify compliance to the protocol. It’s good to have but has limited use. The subscription services are where it’s at, IMO.

    Avatar
    Aidan Finn
    Participant
    #615034

    A quick update, I found a Cisco doc that says that the ASAv in Azure can be deployed in a HA active/passive pair.

    • WatchGuard Firebox Cloud: single node only
    • Cisco ASAv: active/passive
    • Check Point CloudGuard: active/passive
    • Barracuda CloudGen Firewall: active/passive
    • Palo Alto VM-Series: active/active

    The Cisco docs are quite incomplete. A pair of NVAs, each with 4 NICs in 4 subnets, are deployed. But no load balancers to unify the flows are deployed. Instead, Cisco wants to automate the editing of route tables from the appliance – over my dead body! 3 commands per route table, 1 route table per subnet, many subnets … and the Cisco NVAs do not sync their configuration so you have to two it twice … identically.

    JeremyW
    JeremyW
    Moderator
    #615155

    Sound fun! :P

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

Register for this Petri Webinar!

Software-Defined Unlimited Backup Storage

Tuesday, August 27, 2019 @ 1:00 pm EDT

A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

Register Now

Sponsored By