At 10:46 PM 1/7/01 -0500, A Routerman wrote:
>Couple of comments for you all. I've only worked with Checkpoint FW-1 and
>PIX so that's the only area I can speak from with experience. Many other
>fine products out there I'm sure.
>
>Ultimately it depends on what features you need and what performance level
>you are looking for.
>
>The PIX is ok - it works great most of the time but has it's share of
>problems.
>
>A couple of specifics - debugs for any period of time will kill the
>outbound interface, you'll have to reboot the PIX to fix it. While SSH
>is included in the 5.23 series - you can't use it in certain
>configurations (mine being one of them).
>The failover PIX is inexpensive and very nice. The only issue which we
>have with it is the VPN tunnels do not reestablish between remote sites
>and the PIX that fails over. It's a security issue/feature - helps
>ensures someone can't take over your VPN tunnel. I.E. when a PIX fails
>over - we have to manually clear out the Security Associations and let the
>tunnels reestablish. Also upgrading the IOS requires rebooting the PIX
>and breaking out of the boot sequence - then tftp'ing.
@AMR: This is not true. Yes, upgrading the OS requires a reboot (what box
doesn't?) You do NOT have to break out into 'boot' - just use the floppy
(unless it's not a 510 or 520)
(Nit picking...) It's not running IOS. The PIX runs PIX OS ;^)
>The IOS has a few bugs. The biggest for us was the SMTP fixup and the
>alias command breaking in 5.2.X - The alias problem is supposed to be
>fixed in the 6.0.x code just released. The VPN part works great but a bit
>slow!!!
>
>The management of the PIX is only so-so. They make a manager that doesn't
>work on W2K, no traceroute capabilities on the PIX, difficult to track
>free memory and other similar helpful items...
>
>Aside from our outbound interface not transferring traffic 4 times over
>the past 6 months - the system has been rock solid.
>
>Performance wise - the 515 is a dog. It slows down traffic for just a T1
>and 30 people. The 525 and 530 are much nicer PC's with more horsepower
>and more memory.
@AMR: What were you doing on the 515 that you were getting slowdowns on a
T1 and 30 users?? I have used the old PIXen (Pentium 133MHz w/16MB of RAM)
with ~300 sessions/users on 2 T-1's w/o incident. (The T-1's were the
bottleneck in that case)
This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:24 EDT