pfSense vs. Sophos Cloud Web Gateway (discontinued)

I believe PFSense is well suited for both home lab environments as well as up to small to mid-size business environments on a tight budget. However, I would implore that anything in production requires the use of the authorized hardware that PFSense sells to receive support. However, in my experience, PFSense is a solid set-and-forget firewall solution.

Sophos Secure Web Gateway is great for almost any business that needs an easily-manageable proxy server. We're a medium-sized enterprise, but the product would work great for much larger companies as well. The only real limitations would be hardware resources, but it isn't that intensive. The administration of it is very intuitive, and it was quick to set up. Where it might not make sense is across multiple sites, unless all internet traffic is funneled through one place. It would be a bit complicated to maintain multiple setups.

Incentivized

• Easy to use. Good user interface design! Easy to understand and easy to set up.
• Lower hardware requirement. 3 years ago, we used an old PC to run it. Now, we have changed to a router device with Celeron CPU and 8GB RAM. It runs smoothly with a 1000G commercial broadband.

Incentivized

• When IT Admins need to deploy virtually.
• When IT Admins want to have high availability without an extra cost (via the Virtual Appliance Deployment).
• When IT Admins want to control and give the internet fair use within the organization.

Incentivized

• I did kind of mention a Con in the Pro section with OpenVPN.
• When I create a config for an employee other employees are able to login to that config.
• I could be doing something wrong when I am making it - I am not afraid to admit that as I am pretty new to all of this, but it seems like it builds a key and I would think the key would be unique in some way to each employee, but I could be wrong.
• I actually do not have a lot of Con's for this software - I did not get to set this up on our work network so I am not sure of any downfalls when installing.
• I installed this on my personal machine in a Hyper-V environment to get a feel for it before I started working on it at work and it seemed pretty smooth. I didn't run into any issues.

Incentivized

• Administrator Permissions: There's not enough granularity on the administrative side. We ran into an issue where we wanted to restrict junior admins from being able to see traffic per user. But in doing so, it also prevented them from adusting some other settings they had to have access to, like setting exceptions for sites.
• CA Database: I occasionally run into issues where the list of certificate authorities in the appliance is not up to date, and I have to manually add a CA. These aren't rare, never-heard-of authorities, either, but they are usually subsidiaries of one of the major ones.
• Feedback: Sometimes it takes some good detective skills to track down why a legitimate site isn't working. It's often because of content hosted elsewhere (images, for example), but the reports aren't always clear as to what actually gets blocked. It takes some trial and error sometimes to unblock something that should be okay for our business.

Incentivized

The pfSense UI is easy to navigate and pretty go look at. It is much better than some high dollar firewalls that just throw menus you you. The pfSense UI is quick and responsive and makes sense 99% of the time. Changes are committed quickly and the hardware rarely requires a reboot. It just runs.

Incentivized

pfSense+ basic provides "As Available" email support. pfSense+ Pro offers 24 hr turn around email support. pfSense+ Enterprise offers 24/7 phone support.

Incentivized

Meraki has a unified management login for all devices, which is nice. It also has decent content filtering, both areas where pfSense is weaker. Where pfSense far ouclasses Meraki is in the ease of use and the other width of features. These include features such as better VPN interoperability, non-subscription based pricing, auditability, not relying on the infrastructure of a third party, more transparency of what's actually going on, easier to deploy replacements if hardware fails. Additionally, the NAT management for pfSense seems to be a bit better, as you can NAT between any network segment and not just the LAN segments out the WAN interfaces.

Sophos Secure Web Gateway has flexible pricing and deployment options. It offers a huge range of categorization options and they also pull web categorization info from other services

Incentivized

• pfSense can be installed on commodity hardware with no licensing fees. With a simple less than 10 minute restore time, on most hardware, it's an extremely inexpensive way to achieve the same results that some of the more expensive vendors provide.
• The easy to use interface has allowed configuration management to be preformed by lower level technicians with quick and easy training.

Incentivized

• We have not had a single instance of malware since installing Web Gateway. We have other ways to prevent infections and attacks, of course, so this is just one tool in the box, but we had a handful before this from people visiting sites they should not have. Web Gateway has prevented those, at least.
• There was some pushback initially as users had to deal with some business sites not working (usually due to CA problems). After the initial growing pains, however, we've seen very few other problems.
• The appliance updates itself, in the middle of the night, so that reduces some overhead and planned downtime.

Incentivized