Networks Training

  • About
  • My Books
  • SUGGESTED TRAINING
  • HOME
  • Cisco Networking
    • Cisco General
    • Cisco IOS
    • Cisco VPN
    • Cisco Wireless
  • Cisco ASA
    • Cisco ASA General
    • Cisco ASA Firewall Configuration
  • Certifications Training
    • CCNA Training
    • Cisco Certifications
    • I.T Training
  • General
    • General Networking
    • IP Telephony
    • Network Security
    • Product Reviews
    • Software
  • Cisco Routers
  • Cisco Switches
You are here: Home / Network Security / 10 Best Hardware Firewalls for Home and Small Business Networks
I may earn a small commission if you buy through the links in this website without any extra cost to you. My Recommendations however are not biased in any way.

10 Best Hardware Firewalls for Home and Small Business Networks

Written By Harris Andrea

On this website I have written tens of articles about enterprise level firewalls (especially Cisco ASA) but many people are interested to learn about the best hardware firewalls for home or small business networks, so this is what I’ll focus in this article.

hardware firewalls for home and business

As an Amazon Associate I earn from qualifying purchases.

Firewalls are designed to monitor incoming and outgoing traffic, helping to keep your local network secure. While most computers have software firewalls installed, other devices lack their own security.

In a typical home network, video doorbells, baby monitors, and smart home devices are only as secure as the basic firewall inside the Wi-Fi router connected to the ISP.

With a hardware firewall, you get an extra level of protection for securing all devices in the home or SOHO network.

A dedicated hardware firewall usually connects to your router and your devices connect to the firewall, thus reducing the risk of hacking and malicious cyber attacks.

Some hardware firewalls even allow you to monitor your child’s Internet usage and receive text alerts of potential cyber threats.

To increase the security of your network, consider adding one of the following 10 hardware firewalls which are suitable for home and small business networks.

I have carefully selected the following devices based on their feature set, how effective they are, trustworthiness of manufacturer etc.

Table of Contents

  • Best Hardware Firewalls for Home Network Use
    • 1) Ubiquiti Unifi Security Gateway (USG)
    • 2) Mikrotik hEX RB750Gr3
    • 3) Firewalla
    • 4) Bitdefender Box 2
    • 5) Zyxel Next Generation VPN Firewall
    • CUJO Smart Internet Security Firewall
  • Best Hardware Firewalls for Small Business (SMB) Network Use
    • 1) FortiGate 30E
    • 2) SonicWall TZ400 Security Firewall
    • 3) Cisco Meraki MX64W
    • 4) Protectli Firewall Appliance With 4X Intel Gigabit Ports
    • 5) WatchGuard Firebox T15
    • Related Posts

Best Hardware Firewalls for Home Network Use

I have grouped this article in two general categories. Let’s start first with the best models for home use.

1) Ubiquiti Unifi Security Gateway (USG)

Ubiquiti Unifi Security Gateway (USG)
5,539 Reviews
Ubiquiti Unifi Security Gateway (USG)
  • 3 Gigabit Ethernet ports, CLI management for advanced users
  • 1 million packets per second for 64-byte packets
  • 3 Gbps total line rate for packets 512 bytes or larger
$349.99
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 16:24 / Affiliate links / Images from Amazon Product Advertising API

With the Ubiquiti Unifi Security Gateway, you get an advanced hardware firewall and router that supports Gigabit Ethernet speeds and even more. While the device is intended for use in businesses, it is affordable enough for home use as well.

The device sits between the Internet and the local WiFi router, routing all traffic before it even reaches the router. All devices connected to the network are then monitored and protected through the advanced network management and security features.

As with other hardware firewalls, remote monitoring and management is available through a Graphical User Interface (GUI) called the Unifi Controller.

Users can easily change firewall settings, create VLANs, enable Deep Packet Inspection (DPI) to check which applications are using the Internet, enable QoS features, Intrusion Detection (IPS/IDS) etc.

The management features are part of the Unifi Controller Software, which also supports management of other Ubiquity UniFi products such as WiFi Access Points, UniFi switches etc.

If you have other UniFi devices in your network or maybe you are planning to get a UniFi WiFi Access Point (HINT: its one of the best WiFi APs out there !!), then USG firewall is a great choice (for both home and small business networks).

Pros:

  • Ability to monitor traffic before it reaches the local network (using DPI).
  • Remote management via a web interface or mobile app (using the UniFi Controller) 
  • Relatively affordable solution
  • One Gbit/sec bandwidth (or more) (Great for Gigabit ISP speeds)
  • Deep Packet Inspection and QoS Capabilities
  • Powerful Firewall Performance and Features
  • Supports Intrusion Detection/Prevention (IDS/IPS)
  • Sturdy design and highly trusted vendor

Cons:

  • May contain too many features for a standard home user

2) Mikrotik hEX RB750Gr3

The first impression you get with this device is that it is a normal wired SOHO router with limited capabilities. This Mikrotik device is much more than that.

Sale
Mikrotik hEX RB750Gr3 5-port Ethernet Gigabit Router
893 Reviews
Mikrotik hEX RB750Gr3 5-port Ethernet Gigabit Router
  • The hEX RB750Gr3 is a five port gigabit Ethernet router for locations where wireless connectivity is not required.
  • The device has a full size USB port. USB slot type is USB type A This new updated revision of the hEX brings several improvements in performance.
  • It is affordable, small and easy to use, but at the same time comes with a very powerful dual core 880MHz CPU and 256MB RAM, capable of all the advanced configurations that RouterOS supports.
$59.95 −$2.95 $57.00 Amazon Prime
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 19:06 / Affiliate links / Images from Amazon Product Advertising API

For this low-price tag, the Mikrotik hEX RB750Gr3 packs some powerful features that you will find only in high-end devices.

Although it can easily be used in business environments (hospitality, office, education, retail shops etc), because of its low price, compact design and flexibility it is great for a home network as well.

This router runs on RouterOS which supports advanced routing configurations (NAT, port forwarding, VPN, bridging etc) as well as stateful firewall, Layer-7 application detection and protection, firewall filtering rules etc.

It is equipped with 4xGigabit LAN ports and 1xGigabit Internet (WAN) port. Although the ports support Gigabit speeds, the whole device can go up to 470 Mbps maximum. So, it is ideal if you have Internet connection speeds of up to 500 Mbps.

Pros:

  • For the price, it has powerful firewall and routing features similar to high-end devices.
  • Easy to setup for basic home/office network use.
  • Uses RouterOS which is a free and very powerful router/firewall operating system.
  • For advanced users, you can configure almost anything you can imagine with this device.
  • Free and regular firmware updates.
  • Powerful firewall features.

Cons:

  • The device does not support full Gigabit Internet connections (max 470 Mbps)
  • Fairly steep learning if you want to configure advanced settings.

3) Firewalla

Firewalla is one of the easiest hardware firewalls to install and set up, making it a great option for the average homeowner or non-technical business owner.

Firewalla: Cyber Security Firewall for Home & Business, Protect Network from Malware and Hacking | Smart Parental Control | Block Ads | VPN Server and Client | No Monthly Fee (Red)
361 Reviews
Firewalla: Cyber Security Firewall for Home & Business, Protect Network from Malware and Hacking | Smart Parental Control | Block Ads | VPN Server and Client | No Monthly Fee (Red)
  • COMPATIBILITY: This is * Firewalla RED * (NOT THE FIREWALLA BLUE), The IPS functionality is limited to 100 Mbits. This device may not be compatible with all routers. Please look at the "specification sheet" document in this listing, or compatibility guide in the manufacturing site for routers that works with Firewalla. May require login to router and do basic configuration.
  • COMPLETE CYBERSECURITY PROTECTION - Firewalla's unique intrusion prevention system (IDS and IPS) protects all of your home wire and wireless internet of things devices from threats like viruses, malware, hackng, phishing, and unwanted data theft when you’re using public WiFi. It’s the simple and affordable solution for families, professionals and businesses. Let Firewalla’s built-in OpenVPN server keeps your device usage as secure as it is in your home.
  • PARENTAL CONTROL AND FAMILY PROTECT - The days of pulling the power cord from the dusty old router are behind you; with just a few taps on the smartphone, you can see what they’re doing, cut off all access, or cut off only gaming or social networks. Turn on Family Protect to filter and block adult and malicious content, keep internet activities healthy and safe.
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 17:12 / Affiliate links / Images from Amazon Product Advertising API

The company produces an affordable version that supports up to 100 Mbit/sec bandwidth (the Red model) and a more powerful version that supports 500 Mbit/sec speeds (the Blue model).

  • Red Model: If your Internet speed is less than 100Mbps and have less than 50 home devices.
  • Blue Model: If your Internet speed is more than 100Mbps and have more than 50 devices (e.g business network).
  • NEW: Gold Model: The most powerful model with 3Gbps performance, using the same Firewalla Security Stack as the other models

All versions allow you to monitor devices and networks via a mobile app with a simple user interface. Easily adjust any of the settings, including auto-blocking and parental controls. 

Firewalla devices use the cloud extensively in order to receive security threat updates. The AI powered Firewalla cloud collects knowledge from all connected devices and distributes security updates to all devices to mitigate attacks. 

The device simply connects to a power source and your existing home router. You can connect Firewalla in any current network setup that you have such as combo router/modem from ISP, separate modem and router, mesh WiFi network etc.

After installing the app, you can instantly begin monitoring Internet traffic that goes in and out of your local network to anywhere in the world.

Firewalla also includes a built-in VPN server, allowing you to establish secure connections with your home or business network while away from the home or office.

Pros:

  • Ease of installation
  • Simple user interface
  • Affordable
  • Intrusion Prevention and CyberSecurity protection for all of your devices.
  • One-time payment. No monthly fee.

Cons:

  • Not suitable for Gigabit internet speed (except the Gold Model which supports multi-gigabit).

4) Bitdefender Box 2

Bitdefender BOX 2 (Latest Version) - Complete Home Network Protection for Your WiFi, Computers, Mobile/Smart Devices and More, Including Alexa and Google Assistant Integration - Plugs Into Your Router
562 Reviews
Bitdefender BOX 2 (Latest Version) - Complete Home Network Protection for Your WiFi, Computers, Mobile/Smart Devices and More, Including Alexa and Google Assistant Integration - Plugs Into Your Router
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 17:12 / Affiliate links / Images from Amazon Product Advertising API

The Bitdefender Box 2 is designed to provide a simple method for protecting your home network and Internet of Things (IOT) devices. After connecting to the router, the device automatically begins monitoring and optimizing your network for the best security.

With the 1.2 GHz dual-core processor, the device can support speeds up to one Gbps. It also supports the latest smart home controllers, including Google Assistant and Amazon Alexa.

This is also a WiFi router with Dual-Band (2.4GHz and 5GHz) AC1900 speed wireless radio, thus protecting both wired and wireless devices in the home.

The hardware firewall includes typical monitoring and security features along with software and cloud-based protection.

Additional security features are provided through the Bitdefender Total Security antivirus service. You get a free one-year membership with yearly subscriptions available after the first year (for protection of unlimited home devices).

The Box must be connected to your existing router which must be configured either as Access Point (AP Mode) or Bridge Mode.

In order to apply the enhanced and advanced parental control features of Bitdefender, your computers and mobile devices must have “Bitdefender Total Security” installed on them. This is good because you will get great Antivirus protection as well.

Pros:

  • BitDefender is a very effective Antivirus and Anti-Malware vendor with proven history record.
  • Is compatible with home automation devices
  • Supports one Gbit/sec internet speeds
  • Offers remote management via mobile app
  • Advanced Parental and Monitoring features applied right on the End-point devices (smartphones etc).

Cons:

  • Requires a subscription to use the advanced security features
  • Does not work with mesh wireless networks or WiFi extenders

5) Zyxel Next Generation VPN Firewall

ZyXEL Next Generation VPN Firewall with 1 WAN, 1 SFP, 4 LAN/DMZ Gigabit Ports [USG20-VPN]
169 Reviews
ZyXEL Next Generation VPN Firewall with 1 WAN, 1 SFP, 4 LAN/DMZ Gigabit Ports [USG20-VPN]
  • High Performance Gigabit Ports 1x Internet (WAN) Port, 4x Local Network (LAN) Ports, 1x SFP Gigabit Fiber (SFP WAN) Port for Uplink to Fiber Internet Services
  • Up to 90Mbps Encrypted VPN throughput (IPsec/L2TP: 10 Concurrent, SSL: 5 Concurrent Upgradable to 15 Max) for Secure Remote Access, Office to Office or Device to Office
  • Up to 350Mbps Stateful Packet Inspection (SPI) Firewall and 20,000 Max TCP Concurrent Sessions ideal for Small Offices < 10 Users
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 17:12 / Affiliate links / Images from Amazon Product Advertising API

Zyxel Next Generation VPN Firewall offers Internet security both locally and remotely. After installation, users can access their local networks remotely through secure VPN connections.

This device was designed as an enterprise-level solution for enhanced security and remote VPNs. However, the simplified installation process and affordable price make it suitable for home use as well.

The existing Internet connection and router or modem connect directly to the Zyxel Firewall, which also includes four Ethernet ports. Zyxel Firewall includes support for IPv6 and multi-WAN failover.

This device is categorized as UTM firewall which means Unified Threat Management. This refers to protection at the application level such as web content inspection, application controls, antivirus, intrusion prevention etc. You will need a yearly subscription license to use these application layer features though.

Without subscription, the device is still a solid hardware firewall device.

Pros:

  • Allows users to setup up to 10 secure VPN connections using Layer-2 Tunneling Protocol (L2TP) and IPSEC.
  • Includes access to Zyxel OneSecurity service, which provides regular updates
  • Includes a guided installation process for entry-level users
  • Device is very reliable and solid.

Cons:

  • The Firewall WAN only supports about 200 Mbps to 350 Mbps transfer rates.

CUJO Smart Internet Security Firewall

NOTE: A reader has shared in the comments below that CUJO will be discontinued in March 2021, so we don’t recommend this product anymore.

The CUJO AI Smart Internet Security Firewall is built for home or business use and features anti-virus, malware, and phishing protection for all connected devices. It connects directly to the WiFi router and supports up to one Gbps Internet.

There are three connection modes namely:

  • Standby: CUJO does not protect the network. Used for troubleshooting and configuration assistance.
  • Direct/DHCP: In this mode, you should disable DHCP on your home router and allow CUJO to provide IP addresses to the network. This is the most preferable way to operate.
  • Bridge Mode: For networks that have multiple WiFi routers and Access Points. Connect all of them to CUJO for full protection.

Using the CUJO AI mobile app, users can quickly set up the physical box. It works with most WiFi routers, including WiFi extenders and mesh routers, except for the Google WiFi mesh.

After setting up the hardware firewall, CUJO provides 24/7 protection for computers, smartphones, tablets, and smart devices. With remote monitoring, users can instantly see what devices are connected to the network and what websites are getting visited.

CUJO is simple enough for home use but still includes the sophisticated protection needed for business security.

Pros:

  • Automated setup and installation that only takes a few minutes
  • Support for one Gbps Internet speeds
  • Can identify if a local computer is compromised with Botnet malware etc.
  • Able to work with WIFI extenders and mesh routers
  • Flexible connectivity options to the rest of the network.

Cons:

  • Minimal amount of controls (no firewall options for customization etc).
  • No Web Administration via desktop browser (only through mobile app)

Best Hardware Firewalls for Small Business (SMB) Network Use

The devices in this category are slightly more expensive than the previous ones but they are best suited for business environments with more demanding requirements.

1) FortiGate 30E

Sale
FORTINET FortiGate 30E Network Security/Firewall Appliance
103 Reviews
FORTINET FortiGate 30E Network Security/Firewall Appliance
  • New
$494.00 −$47.92 $446.08
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 18:42 / Affiliate links / Images from Amazon Product Advertising API

FortiGate has experienced the most impressive growth as a security manufacturer the last years. This company launched some of the most flexible firewall devices (both Entry-level UTM and Enterprise-Grade models) in the market.

The FortiGate 30E is designed for small to mid-sized businesses and provides complete protection and Unified Threat Management (UTM) services to users. The device is simple to set up and uses cloud management for easier administration.

This firewall also includes four LAN Gigabit Ethernet ports for connecting computers, routers, Servers, or switches.

In such a small device you can find advanced security protections such as application control, advanced threat protection, Intrusion Prevention System (IPS), Web Filtering, VPN etc.

Fortigate devices support the VDOM feature which lets you create several virtual firewalls on the same hardware device thus segmenting the network to different zones such as guests, employees, public servers etc.

Pros:

  • Fortigate firewalls are among the most flexible and feature-rich devices in the market.
  • FortiNet as a company is one of the most trusted manufacturers of security devices.
  • The hardware firewall supports 950 Mbps of pure firewall throughput and 150Mbps throughput if all Threat Protections are enable (which is pretty good for a small business).
  • The Fortinet Security Fabric (cloud management service) and FortiGuard Security Service provides real-time intelligence in threat prevention (one of the best in the industry).

Cons:

  • Requires a subscription to continue using the security and support services (just like all other UTM vendors).

2) SonicWall TZ400 Security Firewall

No products found.

The TZ series of SonicWall firewalls are entry-level business models suitable for small to medium offices or branch offices belonging to a larger corporation.

SonicWall is well known for manufacturing excellent firewall products and the TZ series are no-exception.

The SonicWall TZ400 offers enterprise-grade network security through its Unified Threat Management (UTM) system. It provides hardware, cloud-based, and software antivirus and network monitoring for a complete security solution.

To take advantage of all UTM software security features, a license subscription is needed just like all other UTM firewall appliances.

As an enterprise-level product, the TZ400 can support over 100 additional ports when combined with the Dell X-Series network switches.

Thanks to the processing power of this device, the TZ400 can perform deep packet inspection of all Internet traffic without reducing transfer speeds. The device offers 1.3 Gbps throughput with real speeds of 900 Mbps for WAN connections.

Pros:

  • Is a robust solution that can handle all the security needs of a small to medium-sized business
  • Includes support for SSL VPN mobile connections
  • Offers deeper packet filtering to reduce the risk of cyber attacks
  • SonicWall is a trusted vendor with proven record in UTM firewall appliances.
  • High performance optimized device for not compromising in speed even if advanced security features are enabled.

Cons:

  • One of the more expensive hardware firewalls

3) Cisco Meraki MX64W

Cisco Meraki MX64W Firewall with 802.11ac Plus MX64W Enterprise Security and Support 1YR BDL
1 Reviews
Cisco Meraki MX64W Firewall with 802.11ac Plus MX64W Enterprise Security and Support 1YR BDL
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 17:12 / Affiliate links / Images from Amazon Product Advertising API

Cisco is the leading manufacturer of enterprise-level networking solutions. Meraki has been acquired by Cisco to serve the SMB market of wireless LAN products (and also other SMB network solutions).   

With the Meraki MX64W, the company has created a WiFi router and hardware firewall with superior Internet security features.

Users can also maintain fast Internet connections. The device uses layer 7 application visibility to monitor and prioritize traffic without significantly reducing bandwidth, supporting up to 1.2 Gbps WiFi speeds and 250 Mbps firewall throughput.

Cisco also provides advanced security services for an additional fee. These options include advanced content filtering, Cisco Threat Grid, and advanced malware protection.

Pros:

  • Complete enterprise-level WIFI and internet security solution
  • Excellent management cloud capabilities.
  • Support for up to four WiFi access point SSIDs thus segmenting the network.
  • Ability to support up to 50 users (great for small-medium offices).
  • Meraki and Cisco are well established brands in the field of networking and firewall security.
  • You get a future proof product with unprecedented vendor support.
  • Hardware Lifetime Warranty.

Cons:

  • A relatively expensive option that may be out of reach for some businesses.

4) Protectli Firewall Appliance With 4X Intel Gigabit Ports

Sale
Protectli Vault FW4B - 4 Port, Firewall Micro Appliance/Mini PC - Intel Quad Core, AES-NI, 4GB RAM, 32GB mSATA SSD
583 Reviews
Protectli Vault FW4B - 4 Port, Firewall Micro Appliance/Mini PC - Intel Quad Core, AES-NI, 4GB RAM, 32GB mSATA SSD
  • Expected back-in-stock date: January 2023. Best alternative model: Protectli Vault FW4C. THE VAULT (FW4B): Secure your network with a compact, fanless & silent firewall. Comes with US-based Support & 30-day money back guarantee!
  • CPU: Intel Quad Core Celeron J3160, 64 bit, up to 2.2GHz, AES-NI hardware support
  • PORTS: 4x Intel Gigabit Ethernet ports, 2x USB 3.0, 1x RJ-45 COM, 2x HDMI
$359.00 −$20.00 $339.00 Amazon Prime
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 19:42 / Affiliate links / Images from Amazon Product Advertising API

The Protectli Firewall Appliance features an Intel Quad Core Celeron processor with 4GB RAM and 32GB SSD drive making sure that almost any open-source firewall software will be running great on it.

It also includes 4 gigabit Ethernet ports, including a LAN and WAN port for connecting the device to a home network.

The device is intended for experienced users and electronics hobbyists. It uses open-source software firewall distributions, which require some technical knowledge to install and configure.

The company also calls the device The Vault. The small form factor PC is built for use as a hardware firewall/router and includes a 32GB mSATA solid-state drive and 4GB of DDR3L RAM. However, users may upgrade the RAM up to 8GB.

Some open-source firewall and other software that can be installed on this module include pfsense, dd-wrt, FreeBSD, ClearOS, CentOS, OpenVPN etc.

Pros:

  • Works with a wide variety of open source firewall projects.
  • Extremely reliable device.
  • Provides a customizable solution for advanced users who can install a great open-source firewall for great protection.
  • Offers whisper-quiet operation with fan-less construction with no mechanical or moving parts.

Cons:

  • Difficult for novices to set up and configure

5) WatchGuard Firebox T15

WatchGuard Firebox T15-W with 1YR Standard Support WGT16001-WW
8 Reviews
WatchGuard Firebox T15-W with 1YR Standard Support WGT16001-WW
  • WatchGuard Firebox t15-w with 1-yr standard Support (WW)
  • 802. 11B/g/n operating in the 2. 4 GHz and 5GHz bands for high performance and superior reliability
  • All WatchGuard appliances come with a minimum of 90 days support, which includes unlimited support cases
$342.29 Amazon Prime
Check Details Price incl. tax, excl. shipping

Last update on 2023-03-23 at 17:12 / Affiliate links / Images from Amazon Product Advertising API

WatchGuard Firebox T15 is a WiFi router (select models only) and hardware firewall in one device. This small box connects directly to the Internet and can be used as an access point for the local network. It supports 802.11b/g/n WIFI and 2.4 GHz and 5 GHz bands (in the wifi version).

The T15 is intended for up to five users, offering 400 Mbps speeds through the hardware firewall and 90 Mbps speeds when the software UTM features are enabled. By UTM features we mean the software protection mechanisms such as intrusion detection, antivirus, ransomware protection, data-loss prevention etc.

If you have more office users then select the T35 for 20 users or T55 for 30 users.

Users can also configure their own secure VPN connections with speeds up to 150 Mbps.

With the provided Ethernet ports, users can directly connect three computers or routers for one Gbps transfer rates.

Pros:

  • Offers broad protection with full UTM solutions for remote workers
  • Supports secure VPN connections with fast transfer speeds

Cons:

  • The hardware firewall limits WAN speeds to 400 Mbps, making it suitable for about five
  • Performance is reduced considerably (90Mbps) if all UTM features are enabled.

Related Posts

  • 12 Best Computer Networking Books for Beginners & Experts
  • How to Scan an IP Network Range with NMAP (and Zenmap)
  • What is Cisco Identity Services Engine (ISE)? Use Cases, How it is Used etc
  • Comparison of Cisco Meraki MX64 vs MX65 vs MX67 vs MX68
  • What is Cisco Umbrella Security Service? Discussion – Use Cases – Features

Filed Under: Network Security, Product Reviews

Download Free Cisco Commands Cheat Sheets

Enter your Email below to Download our Free Cisco Commands Cheat Sheets for Routers, Switches and ASA Firewalls.

We use Elastic Email as our marketing automation service. By submitting this form, you agree that the information you provide will be transferred to Elastic Email for processing in accordance with their Terms of Use and Privacy Policy. Also, you allow me to send you informational and marketing emails from time-to-time.

About Harris Andrea

Harris Andrea is an Engineer with more than two decades of professional experience in the fields of TCP/IP Networks, Information Security and I.T. Over the years he has acquired several professional certifications such as CCNA, CCNP, CEH, ECSA etc.

He is a self-published author of two books ("Cisco ASA Firewall Fundamentals" and "Cisco VPN Configuration Guide") which are available at Amazon and on this website as well.

Comments

  1. Pradip Banerjee says

    July 29, 2020 at 6:27 pm

    Hi,
    I have a small Architect office having 9 architects. I fiercely like my designs to be protected and hence looking for a good robust economical protective system. I do not like to lose my data and hence wish to protect any unauthorized passing of data through the net via unauthorized email access, through software like AnyDesk, Skype, Google Drive, Google Meet, Gmail, Rediffmail, Zoho etc. etc. ….. Would also not like any of my workers systems to access Facebook, Whatsapp, Zoom, Microsoft Teams etc…. except in systems that I authorize. Will like to block all websites that can facilitate data leakage, porn stuffs or adult websites, job finding sites etc. BUt since we work on following software will like to give full access on net to all systems to access the following websites like – ACAD, PROGECAD, RHINOCEROS, REVIT, LUMION, 3Ds MAX, SKETCHUP, V-RAY, DIALux, QUARKEXPRESS, ADOBE – LIGHTROOM/ PREMIER PRO/ PHOTOSHOP/ ACROBAT READER & MS OFFICE & GOOGLE EARTH.

    Kindly advise how to go about and which hardware and Software should I install

    Thanks in advance for your expert guidance.

  2. Harris Andrea says

    July 29, 2020 at 8:41 pm

    Hello,

    From your requirements, a simple network firewall is not enough. You will need a DLP Solution (Data Leakage Prevention) in addition to the other standard security controls (such as firewall, host protection (i.e antivirus), etc).

    A leader in DLP solutions is Symantec DLP. Also, you can look into McAfee DLP or DigitalGuardian.

  3. Mark Mettler says

    October 2, 2020 at 12:14 am

    It is quite useful in this day of Google my search to have the resulting webpage have a date of publication on it. I can only assume since the first comment was July 2020 and this being October 2020 that at least the article is relevant to today’s search for a firewall. When searching for a home networking solution, pricing is also important. A $150 solution like the Ubiquiti Unifi Security Gateway is much more reasonable than some of the other pricing I found when looking at all 10 solutions listed here. It was a valuable article, that enhanced would have included some MSRP and perhaps a warning about eBay offers for End of Life Firewalls that the manufacturer no longer provides updates or firewall definitions for.

  4. Harris Andrea says

    October 2, 2020 at 4:29 am

    Mark, thanks a lot for your comment.
    Yes the article is recent and still relevant at the time of this writing.

    About the price, the article discusses both home firewalls and also small-business models as well. That’s why you will see some more expensive devices in the list.

    Thanks again for your comments.

    Harris

  5. B says

    December 21, 2020 at 10:59 am

    This is a nice article.. informative..

    I would like to especially be able to control upload rates.. To be able to limit upload rates per device within my Network would be sweet… To limit speed specifically by connection/site.. Limit by connection to specific sites or services.. even sweeter..

    I think there is considerable security to be garnered by that seemingly simple ability..

    While I can do it with PCs many other devices either lack the software and or power to perform such actions.

  6. Harris Andrea says

    December 21, 2020 at 11:37 am

    The small business firewalls mentioned in this article can do what you want. Moreover, the Ubiquiti Unifi Security Gateway (USG) mentioned as first choice in the list above can do what you want as well.

  7. Robert says

    January 4, 2021 at 7:25 am

    Given CVE-2020-29583 (https://www.zyxel.com/support/CVE-2020-29583.shtml) and the fact that the hardcoded credentials were plainly visible in the binary puts the trustworthyness of Zyxel products into question. Vulnerabilities are to be expected, but the plain stupidity exhibited in this case is staggering.

  8. Robert says

    January 4, 2021 at 7:32 am

    Which manufacturers, to your knowledge, offer firmware updates for the long term? I have to replace a fully functional firewall because the venndor no longer offers security patches, and I would like to avoid something similar to happen in 3 years time

  9. Harris Andrea says

    January 4, 2021 at 11:26 am

    Robert, if you are interested for a home hardware firewall, then the Ubiquity USG is the top choice. Ubiquity is a trusted and solid company that manufactures products which are continually supported and upgraded.

  10. Paul says

    January 9, 2021 at 6:16 am

    For home use pc, laptop and phones on network. Need to block apps such as Snapchat . Some of these solutions sound pretty complicated. Which one would work for family app blocking.
    User friendly is the key.

    Thanks

  11. Harris Andrea says

    January 9, 2021 at 1:00 pm

    Paul, maybe you should look into a SOHO WiFi router device (Netgear, Asus, TP-link etc) that has parental control.

  12. Barb says

    February 7, 2021 at 2:03 am

    Someone is bypassing home security alarm
    What firewall would you suggest? Had contact. With Marc Weber Tobias. , atty and security expert says packet exchange is the access in bypassing my security alarm.

    Do I need a software protection or some kind of encryption protection in addition to a Firewall protect?

  13. Harris Andrea says

    February 7, 2021 at 10:44 am

    Barb, I assume your home security alarm is network based and somehow accessible from the Internet (maybe you have remote access to it for monitoring cameras, alarms etc??).

    If the security system itself is not secure enough, no matter what firewall you put in place it will still have problems. Make sure the alarm is fully updated, you have strong access controls (e.g strong username/password) etc. Talk to your home alarm provider first to enhance its security.

  14. lee says

    February 22, 2021 at 5:34 am

    I wish you included Firewalla Gold which I think is more relevant. In addition, Firewalla offer a one-time pricing, but that also begs the question about security updates, patches and fixes. Any chance you would look into that?

  15. Harris Andrea says

    February 22, 2021 at 6:57 am

    Lee, I have added a small update to the article to mention also the Gold Model which offers multi-gigabit speed (3Gbps performance) and is suitable for networks that have Gigabit ISP connections.

    All models receive security threat updates from the cloud to mitigate attacks. It seems that the lower the model, the lower the number of “Active Protect Entries” that has.

    For example, the Red Model has 1000 Active Protect Entries while the Blue Model has 10,000 Active Protect Entries..

  16. BlairJ says

    March 5, 2021 at 3:59 pm

    Scratch Cujo Firewall off the list. On March 5th, 2021 they sent out a notice to Cujo Firewall owners that Cujo will be disabled as of March 31st 2021. That’s less than four weeks notice. They said they announced this on September 29, 2020, but I looked back through my email, and today’s announcement is the first I’ve heard about it. Cujo says they discontinued their consumer hardware firewall to focus on providing firewall services to ISPs. I bought a hardware firewall because I do not trust the firewall build into my ISP’s router (which they control).

  17. Harris Andrea says

    March 5, 2021 at 4:43 pm

    Thanks a lot Blair for your feedback. I will update the post soon.

    Harris

  18. Yann says

    March 25, 2021 at 1:37 pm

    Hi,

    It is a shame you didn’t list CacheGuard… OK it’s more than a firewall but who can do more can do less

  19. John Kasarda says

    March 25, 2021 at 4:47 pm

    I am new to potential use of firewall for my home environment. I have multiple IoT devices (wifi switches, dimmers, cameras), a linux server I plan on offering software services from, home computers that I want to access remotely), etc.

    My thought is to subnet these items (IoT on one subnet, server on a second, my pc’s on a third) and prevent cross traffic between subnets. However, I don’t understand firewalls well enough to see if they can provide multiple subnets inside the firewall,, and cannot find user manuals online to study.

    1) is there a good startup firewall instro youtube or other study resource
    2) How do I determine if firewall can supply multiple subnets (I think this requires multiple DHCP servers, multiple gateways, etc – but not sure)

    Where do I start to make an informed, intelligent choice?

    Thanks in advance

  20. Harris Andrea says

    March 25, 2021 at 5:08 pm

    Yann, there are tens of options out there. I couldn’t include everyone of them.

  21. Harris Andrea says

    March 25, 2021 at 5:24 pm

    John,

    The general idea of what you want to achieve is to configure VLANs on a switch and use a single firewall interface which will be divided into virtual sub-interfaces.

    Basically you connect one physical interface of the firewall to a switch (trunk port) and separate this single physical interface into multiple VLANs/subnets.

    For example, if we take the Ubiquity USG firewall as an example, have a look at the following URLs for more info:

    https://help.ui.com/hc/en-us/articles/219654087-UniFi-Using-VLANs-with-UniFi-Routing-Hardware
    https://help.ui.com/hc/en-us/articles/222183968

    The following article that I have written using Cisco ASA firewall will also explain the concept:
    https://www.networkstraining.com/cisco-asa-dhcp-server-multiple-internal-lans/

  22. John Kasarda says

    March 26, 2021 at 3:29 am

    Thanks. I’ll start reading. I have really enjoyed refreshing my basic understanding of TCP, subnets, and TCP vs UDP. You do an excellent job of hitting just the right level of detail to get the point across without becoming ponderous – a tough fete that you have done well.

    So, for the VLAN, does the firewall device just pass through with no routing, and the switch does the routing, of where do the subnets get their IP assignments, and then a different wireless AP gets used for each subnet, or do you turn off the DHCP function in the APs and just have one SSID with all subnets on it?

    TIA!

  23. Harris Andrea says

    March 26, 2021 at 10:45 am

    John,
    The switch does not do any routing because it is a Layer 2 device. All routing is done on the Firewall. Each virtual subinterface of the firewall (under the physical interface) will belong in its own subnet and will have its own IP address. This firewall subinterface IP will serve as the default gateway of the hosts belonging in that particular Vlan/subnet. The firewall is also capable to assign IP addresses (serve as DHCP server) for each of its subnets.

    So, all wired devices will be connected to the switch in their own VLAN. e.g Linux server in VLAN 10, home computers in VLAN 11 etc.

    Now, regarding WiFi, you will need to have a single SSID WiFi AP connected to its own VLAN (e.g VLAN 12) and have the WiFi AP assign IPs to clients.

  24. John Kasarda says

    March 26, 2021 at 2:42 pm

    Fantastic. It’s becoming clearer now. So, the firewall does both the routing and the firewalling.

    I will shortly have two fiber connections – a Google 1gb connection, and an AT&T 1gb connection. I am thinking of getting a tplink TL-R605 that can connect to both WAN sources, or a Zyxel USG Flex 100, but not sure how to evaluate their capability as a firewall, as I can’t find a user manual that explains its functionality and how to program it. Am I missing something?

    As a switch, I’m looking at a TPLink TL-SSG1024DE managed switch. I have TPLink Deco V60 mesh Wifi router, which I’m thinking should handle all the wireless devices and TVs. the V60 mesh AP’s

    Does this sound like a sound approach? Or am I missing something, or misunderstanding how to approach my objective?

    Once again, I appreciate the clarity of your advice, and it is helping me understand the critical aspects of this project. Much appreciated!

  25. Harris Andrea says

    March 26, 2021 at 3:13 pm

    Yes, the firewall does both routing and firewalling.

    The Zyxel USG Flex 100 looks like a better option (in terms of firewall capabilities etc) compared to the TL-R605. Here is a tutorial how to configure VLANs etc on a Zyxel USG device: https://support.zyxel.eu/hc/en-us/articles/360001378613-How-to-configure-VLAN-on-USG-device

    The TP Link switch (TL-SG1024DE) supports VLANs (802.1Q vlan features etc) so it should work fine with the firewall.

    Regarding your fiber gigabit connection, in my opinion this is overkill. Your firewall devices will not support gigabit speeds anyway, so you could go with lower internet speed in my opinion (maybe 500 Mbps is enough).

  26. Patrick Wingert says

    May 20, 2021 at 10:39 pm

    I am in Canada and the cable internet provider here using their Hi-Tron modems leave all IPv6 traffic open and un-firewalled. They have a NAT that provides local IPv4 control. They provide a 4-address set of IP6 addresses (I think 2 were ULA) but no control over them or the ability to set up local static v6 Addresses. If I can get anyone’s IPv6 address I can walk right into their network. I ssh’d into a friend’s network by scraping his v6 address off a skype call. I put a picture from this hard drive up during the call and asked him if he knew where I got it. But none of the reviews I have read talk about IPv6 features and setting up static IPs and firewall configurations for v6. My friend thought he was safe because he had NAT and was using one of the private ipv4 192.168.x address ranges. he never even realized that Pv6 was turned on.

  27. Harris Andrea says

    May 21, 2021 at 5:17 am

    Patrick, thanks a lot for your comment.
    You make an excellent point here about IPv6 security.

    ISPs should take measures to protect their customers via the border modem/router they provide to them via proper IPv6 filtering from the Internet towards the customer’s network.

    Unfortunately some ISPs do not bother. That’s why you should have another layer of protection by installing your own network firewall to have complete control.

    Harris

  28. Rosa Anna says

    June 28, 2021 at 3:38 am

    Hello – I am in the US. I do not have much luck with technology as someone somehow hacks my phone, computer or home network. I also seem to have a traveling open Wi-Fi that has moved with me for the last 3 moves. :(
    I am trying to start a credit repair / funding business from home with others working remotely. I am very nervous that I don’t know how to lock down my network and give myself piece of mine that I should continue with this chapter. Any guidance would be so greatly appreciated. :)

  29. Harris Andrea says

    June 28, 2021 at 1:21 pm

    What do you mean by traveling open WiFi?
    Anyhow, here are some quick tips:
    1) Install a good hardware network firewall.
    2) Install a solid antivirus/antimalware software.
    3) Keep your windows machines fully updated and patched.
    4) Use a password vault tool (such as LastPass, Keepass etc) to store all of your passwords.
    5) Use a different strong password for your systems (both systems on premises and online as well).
    6) Only open emails and attachments from people you are 100% sure are legitimate. Most attacks nowadays are phishing via email.

  30. Rosa Anna says

    June 28, 2021 at 4:41 pm

    Thank you for your reply. I truly appreciate it.

    Everywhere I have lived in the passed 3 homes I have this Wi-Fi that seeming follows me. It is unsecured and accessible when I am home but has been present at 3 different locations with 3 different cable/Internet providers. My cable / Internet provider technician(s) don’t know what to make of it or how to get rid of it. Everyone is stumped.

    Each time I get a new laptop, I don’t need to transfer anything. My old files get transferred in days. When my laptop is on. I am being recorded. My voice and the background sounds. My laptop gets turn on and off on its own. Even though I shut down the internet connection each time I shut down.

    I am a nobody but somebody won’t leave me alone.
    I don’t leave the house much because I’m afraid.

    I really need this to stop.
    I can sometimes hear breathing when I am on the phone.

    I have trying for years to get someone to help. Even with all the evidence no one knows what to do with me.

    Recently I realized someone was in my phone as it was so hot and I wasn’t even using it. I went into setting to see how much trash I had. It was 3x the phones max amount. So I deleted the trash. Not a smart move. I just thought maybe it would kill the connection. No, I just made whomever very angry. I watched in horror as they put all need apps or services into restricted with a code I couldn’t figure out. And I soon learnt Apple can not restore that code. The phone is now a vegetable.

    This take a toll on someone. I tried Norton Core – didn’t work. Apple told me that they were trying to shut it down and to go to the police. They didn’t help.

    At the time I had a phone connected to the modem. I was getting data calls. No one knows how to deal with them. So I eliminated the phone and use a cell phone as a home phone.

    The data from my cell is saved on my home phone not by my doing. I don’t save my data intentionally to anything cloud based. But it still happens.

    Clearly I know this will not all go away but I need to tame it and move on. Please help me as best as you can.

    Can you make recommendations on the firewall and anti virus and do I feel I would need a DLP Solution as well?

    Well this protect phones, computers printers, etc?

    So grateful for any assistance you can offer. ~ Rosa

  31. Rosa Anna says

    June 29, 2021 at 4:46 am

    Thank you for your suggestions. I’ll be more careful with my emails.

    Would you likely help me with a robust firewall and antivirus and do you think I need a DLP Solution?

    I appreciate your help. :)

  32. Harris Andrea says

    June 29, 2021 at 1:42 pm

    The Bitdefender Box combines both a firewall and antivirus on the same box. Bitdefender is one of the best antivirus programs, so this option will be a very good choice.

  33. Rosa Anna says

    July 2, 2021 at 3:37 am

    I sincerely thank you for ALL the information you provide. It has been a valued resource to me, along with your conversation with Patrick on May 20th, 21 on ISP and IPV6 security. Several of your conversations added value to me. I am so appreciative. Thank YOU!

  34. Harris Andrea says

    July 4, 2021 at 8:26 am

    Thanks Rosa Anna for your kind words.

    Harris

  35. Guido says

    July 12, 2021 at 9:40 am

    This is a home environment with PCs, laptop, Tablets, TV and radio use.
    I have a AC1750 Wireless Dual Band Gigabit Router Model No. Archer C7
    It has a list of firewall specifications. SPI, VPN and Application Layer Gateway and FLOOD filtering.

    Do I need to add another Firewall.

  36. Harris Andrea says

    July 12, 2021 at 1:47 pm

    For a home environment, if the already existing WiFi router has good firewall capabilities, then you don’t need an additional firewall.

  37. Sentil says

    August 27, 2021 at 11:14 am

    For a SME company of less than 25 devices, i am using Watchguard T70 as firewall and VPN access. The annual subscription is exorbitant. Any suggestion or alternatives

  38. Harris Andrea says

    August 27, 2021 at 1:39 pm

    Sentil, The Ubiquiti USG or the Edgerouter 4 by the same company are pretty good choices (https://www.networkstraining.com/ubiquiti-usg-vs-edgerouter/)

    Harris

  39. Jameson says

    October 19, 2021 at 4:01 pm

    Pfsense would be a good choice too, although it may be a bit more complicated for the home users. However, it is constantly updated and that’s probably the most important attribute to keeping the network safe, comparing to regular consumer firewall which still uses old and unpatched code libraries.

  40. Harris Andrea says

    October 19, 2021 at 4:25 pm

    Jameson, I agree that Pfsense is a great choice but its not for the average user, plus you will need also to find the proper hardware to install it.

  41. Chris Petit says

    October 29, 2021 at 7:58 pm

    I would recommend you look into Sophos for the home.
    It is 100% free and it is the exact same system that we use in our enterprise environment.
    This system “can” be used for SOHO or SMB though if you use the free personal home license for these environments it’s technically against their EULA., it does in fact work, and it is incredibly robust in its capabilities.

  42. Harris Andrea says

    October 31, 2021 at 8:18 am

    Hey Chris, thanks a lot for your feedback and recommendation.

    Harris

  43. Jigger says

    February 4, 2022 at 7:22 pm

    Hi Harris,

    The firewalla Gold appliance has IPS as has the fortinet device. However the fortinet firewall needs subscriptions.
    What is the difference in the quality of the threat intelliegence and/or IPS between the two firewalls?
    How does Firewalla sustain a quality IPS if it does not need a subscription service as it will need to be getting the latest threat data from somewhere?

  44. Harris Andrea says

    February 4, 2022 at 9:08 pm

    Jigger,
    Good question. Fortinet of course has more complete and in-depth threat intelligence from their FortiGuard labs.
    About Firewalla gold, I don’t know for sure but my guess is that they probably use open source and free threat intelligence (e.g free IP blacklists etc).

    Harris

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Search this site

About Networks Training

We Provide Technical Tutorials and Configuration Examples about TCP/IP Networks with focus on Cisco Products and Technologies. This blog entails my own thoughts and ideas, which may not represent the thoughts of Cisco Systems Inc. This blog is NOT affiliated or endorsed by Cisco Systems Inc. All product names, logos and artwork are copyrights/trademarks of their respective owners.

Amazon Disclosure

As an Amazon Associate I earn from qualifying purchases.
Amazon and the Amazon logo are trademarks of Amazon.com, Inc. or its affiliates.

Search

BLOGROLL

Tech21Century
Firewall.cx

Copyright © 2023 | Privacy Policy | Terms and Conditions | Hire Me | Contact | Amazon Disclaimer | Delivery Policy

172 shares