We have a lot of luck for smaller VOIP customers having all of their services run through a FortiGate 60D, or higher models. 60D is our go to solution for small enterprise. However, if we are the network carrier for a particular customer and they have a voip deployment of more than about 15 phones, then we deploy a dedicated voice edge gateway, which is more about voice support and handset management than anything. You do need to disable a couple of things on the FortiGate such as SIP Session Helper and ALG. We never have voice termination, origination or call quality issues because of the firewall. FortiGate has a lot of advanced features as well as fine tuning and adjustment capabilities for the network engineering type and is still easy enough for our entry level techs to support. Most of our customers have heavy VPN requirements and FortiGates have great IPsec performance. We leverage a lot of the network security features and have built a successful managed firewall service with good monitoring and analytics using a third-party monitoring platform and Fortinet's FortiAnaylzer platform.
Worth looking at, if you haven't already. If you want to private message me, happy to give more info. Sincerely, Nick Ellermann - CTO & VP Cloud Services BroadAspect E: nellerm...@broadaspect.com P: 703-297-4639 F: 703-996-4443 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. -----Original Message----- From: NANOG [mailto:nanog-boun...@nanog.org] On Behalf Of Ken Chase Sent: Thursday, May 05, 2016 1:54 PM To: nanog@nanog.org Subject: sub $500-750 CPE firewall for voip-centric application Looking around at different SMB firewalls to standardize on so we can start training up our level 2/3 techs instead of dealing with a mess of different vendors at cust premises. I've run into a few firewalls that were not sip or 323 friendly however, wondering what your experiences are. Need something cheap enough (certainly <$1k, <$500-750 better) that we are comfortable telling endpoints to toss current gear/buy additional gear. Basic firewalling of course is covered, but also need port range forwarding (not available until later ASA versions for eg was an issue), QoS (port/flow based as well as possibly actually talking some real QoS protocols) and VPN capabilities (not sure if many do without #seats licensing schemes which get irritating to clients). We'd like a bit of diagnostic capability (say tcpdump or the like, via shell preferred) - I realize a PFsense unit would be great, but might not have enough brand name recognition to make the master client happy plopping down as a CPE at end client sites. (I know, "there's only one brand, Cisco." ASA5506x is a bit $$ and licensing acrobatics get irritating for end customers.) /kc -- Ken Chase - Guelph Canada
