Tasked with implementing a firewall into a small business. Need help

I completely agree. Most importantly, whatever’s firewall you choose, you’ll need to get the training to configure the firewall yourself. There’s nothing wrong with squiring help to do this because firewalls aren’t easy to deal with if you’ve never configured one before. For the size of the company, SonicWall may be fine but I can’t stand them. Meraki is a great brand and Fortigate. Make sure you acquire SSL cert for the firewall as well, especially if there will be remote workers. Make sure to not have your firewall public facing, if it’s not needed.

Without having an Active Directory, how are users authenticating into the network? Active Directory is a HUGE deal and is extremely important. There are a ton of KBs online to set it up properly. Have at least two domain controllers for redundancy.

Once these things are set up, principal of least privilege needs to be implemented for user groups so only these groups have access to what’s needed to perform their job duties.

Yep. The VAR is going to fuck you. However they will fuck you way less than you will fuck yourself if you try to do it yourself. I go to a dentist because while I know how to brush and floss, and am smart enough to know that I cant pick all the plaque out, nor do a root canal. I go to a car mechanic, because he is smarter than me in this field.

As DeadFrye said add an hour or six of training for basic tasks.

Another vote for this here.

We are a FortiGate shop, but PA was very close when we went through the selection.

Like OP we are a smallish company north of 200 employees. We generally run the smallest model that support 10G interfaces. In OP’s case my guess is they don’t need the 10G interfaces and can go even smaller for a lower cost.

We pay a VAR (that value added reseller) to managed the devices and they will do just about anything related to the config and management. However day-to-day operations and changes are well within our wheel house and we usually manage those.

The VAR helps determine which firmware track and version is right for us from a feature, security and stability perspective as well as handling off-hours updates.

We also lean on them when we need to do anything complex, run into limitations or are just trying to figure out how to accomplish something.

A Palo Alto is overkill here. They’re complex to configure, license, and maintain. They are also expensive. Just why. Go with a Cisco Meraki. We’re talking about somebody with zero networking chops so why would you recommend a Palo.

Yup, this is likely the right advice.

Unless there are others in the business that can mentor you through this, this isn’t something you should be going alone.

Sometimes facilitating something through another channel is the more responsible / sustainable option.

pfsense is fine software. it’s a poor fit for an smb. it lacks the all-in-one functionality of most UTM devices and has a smaller support base.

this exactly. not sure how to tell my boss lol. pretty sure i just need to press them to get active directory implemented.

I can’t believe people are recommending Palo Alto in here. Serious disconnect with the OP’s situation. I have a pair of PAs in HA here and love them to death, but the cost of the physical devices was just about equal to my salary and the ongoing software costs is no joke.

Budget privilege?

He simply has to explain his employer that network security is part of operating a business nowadays.

So they either move all their work to some cloud platform (Office365, Google Docs, et cetera) so they don’t have to worry about creating an on-premise infrastructure, or they spend the money to get an on-premise firewall going. This is not about “privilege”, it’s basic stuff. If they don’t have money, then wtf are they even doing as a company?

Handling medical and personal information without basic security sounds like a fast way to end up in prison. Get out and find a new job where you can learn from senior admins. Trying to figure out networking and security without having a clue what a good basic setup would look like will get you nowhere! You have no idea where to start and no guidance. Even if you can implement basic stuff your skills will stagnate in this company.

start with an allow all rule out then restrict traffic as you get more familiar with it, its not that hard

This physically hurt me.

ASAs give me literal nightmares

I genuinely can’t tell if you’re being sarcastic, or unintentionally making the worst recommendation I might have ever seen on this sub.

Thanks for your interest in posting to this subreddit. To combat spam, new accounts can’t post or comment within 24 hours of account creation.

Please DO NOT message the mods requesting your post be approved.

You are welcome to resubmit your thread or comment in ~24 hrs or so.

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

Given the 460 outperforms the 850 at half the price, unless you need a fibre interface they’re awesome.

Definitely would be suggesting a 400 series. Can even implement in vwire mode to learn apps and then use the visibility to create policies with the Policy Optimiser.

If they don’t have AD to start with I wouldn’t bother implementing it now. I’d go direct to AAD and Intune.

Because we’re talking about somebody with zero networking chops. I have ample experience with PA and Cisco Firewalls, and the PAs are, while unintuitive to someone who’s cut their teeth on the ASAs, much more user-friendly, intuitive, and easy to produce diagnostic, classify traffic, and build policies. Plus the service contracts include automatic protection against common exploits, payload inspection, lots of things that will make your job easier.

Also, with Cisco’s “death by a thousand cuts” licensing model, you’re not going to save much compared to a PA, assuming you’ve planning on doing anything but bog-standard ACL policies.

I agree, we have a PA for our city and it is seriously overkill for such a small business where they can’t even use User-ID because they don’t have AD setup yet lol.

My recommendation - Seriously, just get a UniFi Dream Machine Pro. By the sound of it they have less security than I have with my EdgeRouter-X and PiHole at home. So get something easy to use, affordable, and without yearly maintenance costs. A few years with that and then they can figure out if they need something like a PA.

I second this. You need a company to come in and help roll out a lot of changes in order to get things really secure.
But Sonic wall firewalls are a good place to start. They have a lot of great features and offer options like VPN licenses and site to site VPN’s if you need it.

Your company needs to implement an AD environment ASAP with password policies and SOP’s. Check in your area if there is a “co-management MSP”. Essentially they can install AV on all devices, manage patches, assist with firewall installs etc. and if there is any project in the future, you can always contact them to help on those. But for a 200+ users, an AD environment is long overdue.

Disagree. pf is perfect for small business on decent hardware. You may just don’t know how to cook it.