Home Page


Email & Spam

Security Terminology

Security Topics

VPN & Cryptography




Which Network Firewall

Which Home Firewall

Network Firewall Buyers Guide


Firewall Terminology

Application Control

Application Layer Filtering

Firewall Authentication

High Availability, Failover, RAID, Clustering, & Redundancy

IPS & IDS Systems

Load Balancing & Link Balancing


Network Firewall Buyers Guide

Next-Gen vs UTM

Packet Filtering

Parental Control

Perimeter Network or DMZ

Personal or Hardware Firewall?

Ports Protocols and IP Addresses


Stateful Packet Filtering



What is a Firewall?

Which home Firewall?

Which Network Firewall?

Zero Day Protection


Security Products Guide

Which Anti-Virus Software?

Which Firewall?

Which Spam Filter?

Which Internet Security Suite?


What is Guide

What is a Firewall?

What is a Virus?

What is Spam?


Essential Security Guides

Securing Windows XP Guide

Securing Windows Vista Guide

A Guide to Wireless Security



Top 8 Internet Security Tips

Why both, Firewall and Anti Virus?

Free or purchased security - Which one?





Network Hardware Firewalls Buyers Guide

Firewall Ease of use



Page 1 | Page 2 | Page 3 | Page 4 | Page 5


Page 2

It is important you choose a firewall that you feel comfortable with and is easy to work with. Unfortunately however the pattern seems to be firewalls that are easy to use are too simple and there is not enough flexibility within the feature set and firewalls that are difficult to maintain are the ones with the most functionality, so it is good to try and get the right balance.

The good news is however, the feature rich firewall vendors have started to hide away the advanced settings and try and make it as simple as possible to administer without taking away any functionality. For example Fortinet have put some of their features that are not used as often within the CLI.


Does the Firewall provide an easy user friendly GUI? Are all settings easy enough to find? Are the feature sets logically grouped together? Is it easy enough to hover from one dialogue to another?

You should be comfortable with the way the GUI (graphical user interface) is setup and that it is logically organized into sections. For example a section defined for each of the UTM features, as in web filtering, spam filtering, IPS, etc. A demo of the physical product or a VMware version would be ideal for evaluation. You may find when achieving certain goals on the firewall requires a number of steps, and requires much effort. So it is important to get a feel of the firewall you will be maintaining on an everyday basis.


How do you configure VPN's? Does it integrate well with the rest of the firewall and does it provide any wizards and tips to make it easy to set up?

How integrated are the VPN features within the firewall? When a VPN tunnel has been established does the firewall automatically create rules within the policy for all outbound and inbound VPN traffic? Are there any VPN wizards and tools enabling you to easily and quickly setup a VPN tunnel? Do they provide any helpful tips within the GUI enabling you to make the correct choices?

Take a look at the flexibility within the VPN functionality. You need to look at the granular settings to analyse whether new networks can be added easily to the VPN, flexibility to do complex VPN configurations, different VPN topologies, support of policy based VPN’s and Route-based VPN’s, Dynamic VPN’s, etc. However do not be overwhelmed with all these features. Only you know what your organization requires and could be as simple as setting up a couple of VPN tunnels and that’s the end of it.

Also take a look at firewall and VPN logs. Are they tightly integrated with each other enabling to help you monitor and resolve VPN problems easily? Ensure they are easy to follow and have the granular details you would require.


How easy is it to use the CLI (Command line interface)?

Although now all vendors support the use of GUI driven interfaces, sometimes you may need to access the CLI for troubleshooting purposes or to make rare changes not supported within the GUI. You should get a feel of the CLI and play around with some of the common commands. Take a look at the CLI full list of commands, and when you do make changes to see whether you get informative feedback within the CLI. Take a look at the CLI help files and CLI documentation, how informative are they? Can you figure out how to make simple changes using the help files provided within the CLI?

Some vendors have a CLI interface built within the GUI. So instead of using telnet, SSH or serial you can log into the GUI and then access the CLI interface from there, which can prove to be very handy feature.

Juniper Networks have a friendly CLI hierarchy where you can easily identify where you are in the hierarchy and is easy to get to grips with.


Does the firewall's appliance come with an on screen physical interface? How easy is it to reset the firewall, can you reset it from the tin itself?

Some firewalls allow for you to configure basic changes from the physical appliance itself. An output screen with some configuration buttons to view the version of the appliance, to make basic changes such as changing the IP address of the appliance, etc, can be very useful. Also most firewalls provide a physical reset button on the appliance hardware, which should be as simple as holding a button for 10 seconds and rebooting the appliance or a similar procedure.

However in recent times some vendors have also taken this feature away from there appliances and have introduced a direct USB connection to their interface, which helps initially set the appliance up.


Do the vendors provide a Centralized Management application?

If you were to manage a number of firewalls from a specific vendor, do they provide a central management application where you can make changes to all firewalls at once and monitor the states of the firewall from one interface? For larger networks with a number of firewalls a solid centralized management appliance is very beneficial and should be considered.

With having centralised management, policy changes and other feature adjustments can be done once on the management server and distributed to one or more firewall devices. This is very useful if you have many firewalls from the same vendor and would like to make a change to your 30 branch office firewalls from the head office. You can do this on the central management interface which you can then send this change out to all your branch office firewalls that could be distributed through out the world.

Many firewall vendors support management solutions and services for their products so you could manage all their products from one interface, not just firewalls but Web Security Gateways, Email Gateways and other solutions. An example of a change could be that your director has asked you to block access to facebook for all your 30 branch office sites through out Europe. Rather than making a change 30 individual times, you can make the change once from the management server which distributes the policy change to all of the 30 branch firewalls for you.


Does the vendor provide a solid in depth online help section, FAQ section and a public forum?

When you require help and support it is important the vendor provides a solid support section, how to configure different tasks on the firewall, and good explanation guides to the feature sets, how they work and how they are configured is essential.

An online forum in many circumstances is the best way to find answers to problems you may be experiencing. Vendors usually provide online forums where users can participate in resolving each other problems/queries. Take a look at their online forum, is it populated and informative? Take a look to see whether engineers from the vendor itself log in and directly interact with end users experiencing problems.


How easy is it to manage the firewall remotely?

Take a look at what tools the firewall supports for remote management.

Typical remote management tools are as follows. Ensure your firewall supports at least some of these;



Centralized management



Direct connectivity to the firewall GUI


Can you delegate tasks to your colleagues?

If you have segmented your network you will most likely have different policies in place for each network segment. Take a look if you can delegate tasks with restrictive permission to your colleagues so that they may maintain their own number of settings for different network segments. For example you may assign your technical HR manager with permissions so they may make changes to the firewall which would only affect the HR network.


Does the firewall provide built in troubleshooting feature?

Take a look at the logs to see how easy it is to identify certain aspects. Are the logs well written and easy to follow? Take a look at the contextual information within the logs and identification of failure within the logs.

Good logging and reporting functionality is crucial when problems occur. Can you fine tune the logs to find what you are looking for? For example you may want to only look at real time logging for VPN traffic so it is easier to troubleshoot.

Also have a look for tools within the GUI to help you find and resolve problems such as PING, DNS tools, Trace route, configuration roll back utility, and so on.


Does the firewall have the ability to integrate with other management platforms?

You may want to integrate your firewall with an SNMP MIB, Syslog, NTP server so you would need to look into how the firewall will integrate with other management tools and if it is supported.


Is the firewall rich in the features you require?

Application layer filtering as well as stateful packet inspection and basic packet filtering are now aged and have become a commonality in all firewalls. You need to look for the enhanced extra features, logging and reporting, and other functionality within the firewall. If one of your firewall priorities is to be able to filter spam, then you may want to look at the spam features, and take a look at how much flexibility there is with the spam settings.


What is the after sales support like? Can you log as many calls as required? What are the response times? How skilled is the support team? Where are they based in the world? Are they from a different time zone?

After sales support is crucial and should not be overlooked. If your firewall fails on you, you need to ensure third line support are easy to contact and work with to resolve an issue, quick to respond, and an advantage would be they work within the same time zone as you.


Page 1 | Page 2 | Page 3 | Page 4 | Page 5

For further reading, there's some excellent electronic ebooks available for download from eBooks.com