Hello, I am considering replacing our old TZ210 with a new XG 135 for a small medical/dental office. There is a promotion where you get an extra unlicensed 135 for HA with purchase of TotalProtect or TotalProtect Plus. I just wanted to make a post and see what the community here is like and have some discussion. We have full time IT on site (me), and I took care of configuration and management of the TZ210 without any issues. Seems like the interface on the XG, while different might be a bit easier with the way it organizes things. Here are some details of our infrastructure: Large Practice with onsite full-time IT person Replacing TZ210 About 18-22 Employees with about 30 workstations. Have 100x10 Cable Connection w/ 10x3 DSL Connection as Backup Dedicated Ubnt Wireless Access Points on Guest-VLAN Traffic split on VLANs depending on function. (Voice, Workstations, Patient Entertainment, CCTV, Guest) 2 x Cisco SG500-52P stacked in L3 mode for switching/inter-vlan communication. Windows Server which handles DHCP for all VLANs via DHCP Helper on Cisco Switches We use TrendMicro SMB Security Services for workstation antivirus protection (still have 2 years left on that agreement, so can't really switch at this time) Our email is all Gmail hosted, so no spam filtering support is needed. No SMTP/POP/IMAP traffic. Here are some simple requirements: Good content filtering by category to prevent staff from wasting time on social media and other sites which are not work related. Ability to do warning on content filtering where they can click through after warning but shows up in reports. Ability to prevent access to consumer Gmail via Header insertion Ability to assign content filtering rules by computer name and/or mac address. Our users log in to the workstations as the same user since we use a Practice Management System which provides the authentication/authorization. We have some employees who occasionally need access to restricted site due to their job function (marketing, etc). Reporting functionality to see what the staff is actually accessing and ability to report on historical and re-time bandwidth usage. A bonus would be if reports could be emailed weekly/daily to mgmt. Dual WAN Functionality w/ Failover. We like to use our 100x10 connection for our traffic but want to failover to our DSL when it goes down. We also do route our guest traffic through that link just to keep the guest traffic off our main connection. Our preference is just simple fail-over and not round-robin. Solid QoS support to prioritize our VOIP traffic. SNMP traps raised when WAN failover or failback. We have a custom solution which will take that trap and notify me when one of our providers goes up/down. Sandbox support for unknown files/ransomware (seems we need TotalProtect Plus for this)? Have the ability to really make use of the 100x10 connection we have. The SonicWALL throughput is not the greatest. SSL-VPN support for myself and maybe one or two others to access the network remotely. iOS and OSX clients/support since that is what we use. Discussion? Is this a solid solution for a small business like this? Thanks! -jr

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Considering XG 135 for small medical office?

Hello,

I am considering replacing our old TZ210 with a new XG 135 for a small medical/dental office. There is a promotion where you get an extra unlicensed 135 for HA with purchase of TotalProtect or TotalProtect Plus. I just wanted to make a post and see what the community here is like and have some discussion. We have full time IT on site (me), and I took care of configuration and management of the TZ210 without any issues. Seems like the interface on the XG, while different might be a bit easier with the way it organizes things.

Here are some details of our infrastructure:

Large Practice with onsite full-time IT person
Replacing TZ210
About 18-22 Employees with about 30 workstations.
Have 100x10 Cable Connection w/ 10x3 DSL Connection as Backup
Dedicated Ubnt Wireless Access Points on Guest-VLAN
Traffic split on VLANs depending on function. (Voice, Workstations, Patient Entertainment, CCTV, Guest)
2 x Cisco SG500-52P stacked in L3 mode for switching/inter-vlan communication.
Windows Server which handles DHCP for all VLANs via DHCP Helper on Cisco Switches
We use TrendMicro SMB Security Services for workstation antivirus protection (still have 2 years left on that agreement, so can't really switch at this time)
Our email is all Gmail hosted, so no spam filtering support is needed. No SMTP/POP/IMAP traffic.

Here are some simple requirements:

Good content filtering by category to prevent staff from wasting time on social media and other sites which are not work related.
Ability to do warning on content filtering where they can click through after warning but shows up in reports.
Ability to prevent access to consumer Gmail via Header insertion
Ability to assign content filtering rules by computer name and/or mac address. Our users log in to the workstations as the same user since we use a Practice Management System which provides the authentication/authorization. We have some employees who occasionally need access to restricted site due to their job function (marketing, etc).
Reporting functionality to see what the staff is actually accessing and ability to report on historical and re-time bandwidth usage. A bonus would be if reports could be emailed weekly/daily to mgmt.
Dual WAN Functionality w/ Failover. We like to use our 100x10 connection for our traffic but want to failover to our DSL when it goes down. We also do route our guest traffic through that link just to keep the guest traffic off our main connection. Our preference is just simple fail-over and not round-robin.
Solid QoS support to prioritize our VOIP traffic.
SNMP traps raised when WAN failover or failback. We have a custom solution which will take that trap and notify me when one of our providers goes up/down.
Sandbox support for unknown files/ransomware (seems we need TotalProtect Plus for this)?
Have the ability to really make use of the 100x10 connection we have. The SonicWALL throughput is not the greatest.
SSL-VPN support for myself and maybe one or two others to access the network remotely. iOS and OSX clients/support since that is what we use.

Discussion? Is this a solid solution for a small business like this? Thanks!

-jr

This thread was automatically locked due to age.

0 lferrara over 8 years ago
James,

XG135 should be enough for the throughput. Some considerations:

gmail consumer. Using the Application filter you can filter some google apps. Have a look at XG online demo: https://secure2.sophos.com/it-it/products/next-gen-firewall/free-trial/xg-firewall-demo.aspx

Firewall rules at the moment cannot be configured using MAC-Addresses. It is possible but the feature does not work

Reports can be scheduled and sent via mail daily/weekly

Dual WAN. If one WAN goes down, you will receive email automatically by XG

Sandstorm is included in the Plus package

Regards
Cancel
Vote Up 0 Vote Down

Cancel
0 James Russo over 8 years ago in reply to lferrara
lferrara said:

Firewall rules at the moment cannot be configured using MAC-Addresses. It is possible but the feature does not work

What would be the way to segment some workstations into separate rules if not by MAC? I could place them in a separate VLAN, but would like to avoid that. What about with FQDN? The workstations use DHCP, so their IP might change but the hostname should always resolve correctly. I guess, worst case is I could do IP with DHCP reservations?

lferrara said:

gmail consumer. Using the Application filter you can filter some google apps. Have a look at XG online demo: https://secure2.sophos.com/it-it/products/next-gen-firewall/free-trial/xg-firewall-demo.asp

Yes, I think I saw an option to list the domain names in the UI. So, with SSL DPI turned on hopefully that would work. It is described in this thread:

community.sophos.com/.../does-xg-support-http-header-insertion

-jr
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 8 years ago in reply to James Russo

James thanks for the google app link.

For the firewall rule you can use users as source but you need to integrate XG with ad,ldap,radius or use dhcp reservation on your dhcp server and then create static host on XG. Using dns host? Good question! You need to try.
Cancel
Vote Up 0 Vote Down

Cancel
0 James Russo over 8 years ago in reply to lferrara

lferrara said:

For the firewall rule you can use users as source but you need to integrate XG with ad,ldap,radius or use dhcp reservation on your dhcp server and then create static host on XG. Using dns host? Good question! You need to try.

Our issue is that each workstation has the same user logged onto it (staff). Our security is provided by the login to our clinical software, so integrating with ad wouldn't help. It would be the same as showing all computers. Doing it by mac address would be ideal, but it seems that is not possible.

-jr
Cancel
Vote Up 0 Vote Down

Cancel
0 lferrara over 8 years ago in reply to James Russo

James,

You can use Sophos client authentication agent on each computer. It is a small package to install and users can login (save password is an option) and traffic is per user. The caa is available even for mobile, Mac (I am using it) and I guess Linux too.

Regards
Cancel
Vote Up 0 Vote Down

Cancel