Eli Fulkerson .com HomeArticlesPix-vs-sonicwall

Informal Comparison of Cisco Pix vs Sonicwall Pro

This is a largely off-the-cuff response I sent once to someone who requested a comparison of the Sonicwall Pro firewalls that I had been using previously to the Cisco Pix firewalls that they were replaced with. It has been cleansed of any personal details.

This is a pretty complex question, and I don't know if Sonicwall has gotten around to fixing most of my problems that we had with our previous units. (Sonicwall Pro, circa 2000ish vs Cisco Pix, circa 2004 - Ed)

and so...

Before we did the upgrade cycle, we had these problems (among others)...

pix# show conn
827 in use, 2215 most used
TCP out x.y.z.v:80 in server:34731 idle 0:00:43 Bytes 124113 flags UIO
TCP out d.f.g.h :80 in server:58942 idle 0:00:09 Bytes 2322367 flags UIO
TCP out h.j.k.l:80 in server:60959 idle 0:04:39 Bytes 2754 flags UfFRIO

.... and so on for 850 lines in this case. There is a similar amount of transparency for just about any other internal metric that you want to look at.

I don't know the exact numbers of connections the different Pixes support offhand, but its at least in the hundreds of thousands.

The Sonicwalls were also hard to manage. I have a bias in that I greatly prefer the command line for a lot of these things, but some of these benefits are true even for command-line-phobic people. Inside of the sonicwall, there was always a lot of clicking back and forth, checking this screen or that screen and only ever getting sanitized user-friendly data. On the pix, I can use grep to look for settings, I can print out the whole config file to a tftp server in plain text so I can read through it (the sonicwalls config file was binary, I believe)... I can easily compare different versions of the config for a site to see what is changed, I can easily compare one site to another... all kinds of nice simple things like that. (The Pix *does* have a web GUI interface as well, but in my opinion it is worthless and cannot recommend its use at all. It is just as obtuse as the command line, so it isn't good for command-line-phobes, and doesn't give you any benefit (other than filling your config file with extraneous web-gui-only metadata).

The plain-text console also makes it very easy to cut and paste bits of config from one device to another, or to automate some things. For instance, I have a script that does a 'show conn' for me, then collates and groups the data (so you have lines like..... "tcp port 80 : 345 connections" rather than one line for each connection, which is very handy sometimes). (Here is the script' - Ed)

I'm also doing a lot of SNMP for graphing of various things in the Pixes. I'm not sure what the Sonicwalls supported in that regard though.

This might also be a particular model problem, but the Sonicwalls we had previously always had tons and tons of errors on the interfaces. It was so bad that we actually had a baby switch between our firewalls and (The ISP's) equipment. With the Pixes, all those errors went away.

Of course, my needs are likely to be very different than yours. I have several dozen sites spread out all over to support, so a lot of the standardization and ease-of-comparison features really stand out for me, where they probably wouldn't be as valid in your environment. The Pixes are significantly more complex to admin than the Sonicwalls were... you have to know what you are doing. This is a plus in my book (especially since it discourages meddling, which is sometimes common with web GUI's), but training is a significant issue that I don't want to gloss over. The Pixes definitely have a learning curve to them. However, lots of the problems that would take days to figure out are resolved almost immediately now.

But then again, I haven't worked with a recent Sonicwall.