So to make a long story short, I work at a smallish company (around 200+ users total) in the IT department (first real IT job) and I support our users who are here at our office and also some located in our New Mexico office. Our security is terrible, nearly non existent. We do not have an Active Directory, nor do we have a firewall. Passwords are all kept in Keeper and we have soooooooo many user credentials its an absolute nightmare how our data is managed. My IT lead is concerned w security and saw that I am studying for my CompTIA Sec+ certification, so he tasked me with coming up with some ideas to increase security. He definitely agrees we need a firewall and he has tasked me with figuring out how to implement one, but I do not have the slightest idea where to even start. Don’t know how many ports I need on the firewall, don’t know what kind to buy, or how to even configure it. My networking knowledge is rather entry level, so this is quite a daunting task. If anyone has any suggestions or can help me in any way please reach out to me on this thread. Thank you for anyone that decided to help me out 
My best advice is to look into local value-added-resellers in your area. Vet them by their local reputation, and have each one in for an introduction. Decide which one you like, then have them pitch solutions to you, and decide which one fits your needs and budget.
Of paramount importance is to include some professional services hours and training to help YOU configure the firewall. Do not let them just hire someone to configure it for you, it’s paramount you understand what’s going in, and how to operate it.
It sounds like your IT is a shambles, and you’ve got a lot of work to do. My professional recommendation for a Firewall is Palo Alto networks. Yes, they’re expensive, but I assure you they’re worth it, especially in a situation like yours, where you’ve got virtually no visibility into your internal network. A PA-800 series should be a good, entry-level device, unless your office has tremendous internet consumption.
Find a VAR or MSP. Do not do this on your own.
do you even have a budget?
Call a VAR, any firewall vendor pre-sales should be able to organise an on-site POC with you and the VAR that will help with sizing and give you some visibility of your network traffic.
Personally I’d get an MSP in to install and manage the FW for you. If your network is as bad as it sounds you’re going to have a huge amount to manage and an awful lot to learn. FW management is one thing that can be easily offloaded to an MSP for 12-24 months whilst you get the rest of the network up to scratch. Make sure they deploy a simple solution that you’re going to be comfortable taking over once you get some breathing room.
You’re unlikely to want to hear this, so please feel free to ignore it! It might be worthwhile looking for another job. It sounds like you’re in a junior role at a business that’s doing everything IT related the wrong way. There is little to no usable experience to be gained from this.
If you decide to stay, visit the r\sysadmin pages for help.
If you have no budget, pfsense. Some may argue but quite a few enterprises are running it. But it sounds like your needs are basic. Atleast untill you can get a handle on the network and client systems. They are by far a greater risk than outside intrusion.
This is kinda rough start if you’d ask me. The firewall won’t help much if you don’t know how to use it correctly. Ask yourself what or who do you want to protect and which threats do you want to mitigate? Then evaluate your options based on the budget.
There is much more to a firewall than just an IP rulebase. How is your endpoint security?
It’s good to hear that you’re reaching out for help, but it might be the case that you’re looking for help on the wrong topic. Given that the state of your environment is as bad as you say, is “a firewall” the right thing to fix first, or is there anything else you could do right now to get some quick security wins fast?
What is your area of business? Are you dependent on IT availability for revenue, or can you accept some downtime or compromise without major setbacks? Are you subject to any regulatory compliance?
Do you have a security budget? Can you get money (of any amount) if you need it? Does your manager listen to your advice?
What is your environment like? Are all your clients the same? Do you have any servers on-site, or are they all hosted or cloud?
What tools do you have set up today? How are you managing your clients?
Call an MSP or MSSP to help you.
Definitely keep studying and get that Sec+!
I can give you basic information if you want, but overall you shouldn’t make the decisions without oversight from a knowledgeable person.
lol @ everyone commenting in this post with their “budget privilege”
did you all gloss over the part of OP’s post where they don’t even have Active Directory implemented? No way is this maximum cheapskate place of business going to pay to have some consultants come in when they figure they can get a basic solution in place “for free” with their neophyte new hire
We have been moving some users into an Azure AD environment, we do use office 365 and recently are moving users here onto the new windows 365 cloud VM’s so they can do all of their work on there and we can monitor it through azure AD. Currently we have them using citrix and doing the rest of their work on the local machines. I guess I didnt go into exact detail what we do but basically my small IT dept (3 technicians, 3 programmers, 1 lead) support the users here and in new mexico. our whole operation is users calling veterans so they can get increase on their veteran disabiliy benefits, and then we have other companies here we support who manage all those leads in the terrible CRM that the owners paid some random person to create, and its bad. Lots of handling HIPPA documents because its a lot of veterans sending us medical docs including medical history. Honestly the security is so bad from the roots I dont even know how to go about it with the boss. I have got a lot of great info from this thread, but at this point not sure what to do with it. Do I press for AD to be implemented asap? Or do we continue with this cloud based Azure AD solution we are working towards for centralizing things? Side note, a lot of our domain hosting is managed via Godaddy. Sorry there are a lot of questions that I just don’t have the answer to, as I am relatively newer to IT sec, but I am overwhelmed with the amount of help and advice everyone is offering! Thank you all so much for the great advice. Just not sure how to tell my boss this advice without mentioning that I posted on reddit about the situation lol
I just did this at my company. Slightly different circumstances. You can DM me if you want some details on what I did.
Depends if the firewall is controlling LAN to LAN traffic or just LAN to WAN,
what is providing your internet at present?
Basically the firewall will need to sit between your ISP router and your core.
Leave your core as default gateway then add a route 0.0.0.0 to your firewall.
Ideally you want a firewall that is “2 way” that blocks traffic both inbound and outbound,
easy enough to start with an allow all rule out then restrict traffic as you get more familiar with it, its not that hard.
200 users? Just throw an ASA 5505 on there and you’re good to go!
Probably get a good deal on one right now, there’s almost a year left on support.
The week after it is in place and is stable and the requests for allow list entries (exceptions) has been plowed through … “Hey Stephen, we need a VPN”.
try meraki MX super simple and cloud based.
The best solution would be Palo Alto. The new PA-400 series is relatively cheap (given the features and security). Palo’s have a bit of a steep learning curve - if you go that route, you might want to hire a consultant to set it up.
Meraki is a great option for someone in your shoes. They’ve made firewall (and switch and wifi) management as simple and user-friendly as possible. Anyone with even a bit of network smarts could probably get a Meraki firewall up and running in a few minutes.
The down side of Meraki is that if you quit paying, they quit working.
Block everything punch holes?
I agree with all of this - except the new 400 series are excellent and very cost effective. Clearly designed to be Forti killers for medium business and very worth looking at before an 800 if you don’t need the grunt.