I've worked with all different kinds of Firewalls - Raptor Eagle (now Symantec), ipfilter/iptables/ipchains/pf etc., Watchguard, Checkpoint, PIX/ASA among them. One thing that I have learned: The most important feature of a firewall is not it's filtering ability - every single firewall nowadays can filter based on whatever state/content/fancy feature you name. It's the logging, that makes the difference. If your firewall log sucks - or better - if the Firewall Log Display sucks, you won't read logs. And that's bad.
This may seem like a minor point for Linux/BSD people used to read all kinds of cryptic log formats - for Firewall Administrators in large companies it is a major issue. I personally like the Checkpoint Logviewer (they call it 'tracker') most of all. YMMV.
Cheers, Viktor
Rolf Sommerhalder wrote:
Chris Gravell wrote:
Sounds like a lot of hard work, Rolf!
Yes, but it's fun as well as, as you can really learn and understand how the stuff really works. Support provided by developers and the community over mailing lists is quite amazing.
etc...