I am Information Security Engineer and I work with Cisco, Watchguard, and Sonicwall firewalls everyday. I am very experienced in the requirements a firewall must have in order to survive the Enterprise environment. Compared to the other guys, Astaro has many great features, but it also has many short comings. I feel I need to share my opinions and experiences so that Astaro can become an even better firewall. I apologize ahead of time if I list a feature that may already exist/be planned. This post is in no way a list of negatives about Astaro, but rather should be viewed as a list of recommendations to improve Astaro. That being said, here are the items that I think must be implemented to increase Astaro competitiveness:
- Improvements for GAV/IPS:
- need to be able to whitelist IPs on individual rules
- need to be able to modify actions of individual rules easier
- need to be able to add/write custom signatures
- Time Schedules needs to support grouped time ranges. I.E. multiple times in one definition.
- Need access to more advanced settings for firewall, TCP timeout, UDP timeouts, etc
- Need to be able to spoof MAC addresses on interfaces
- Need to be able to specify SMTP server for notification emails
- Need RIP dynamic routing support. I know it's an old protocol, but it's still widely used
- Need to be able to adjust advanced http proxy settings. Cache object size limit, cache speed, etc
- GUI for packet capture, with download into pcap format.
- Wake on LAN packet generator
- Network definitions details should be shown upon mouse over in every possible location. I.E. Network Security > Packet Filter, NAT, are currently not displaying network definitions popup.
- Remote Access VPNs (SSL, IPSec, etc) need to be able to enable/disable split tunneling
- Astaro Command Center needs major improvements
- need to be able to make the same changes in ACC as in the firewall. A user needs to be able to create a firewall change, and be able to push that to all/selected firewalls. If I need to write a rule to block traffic from a certain IP, I don't want to have to write the rule 400 times if I have 400 firewalls.
- needs to maintain a local copy of the remote firewall configs.
- Site to Site IPSec 'keep alive' option needs to be configurable, not always turned on as is the case now.
Additional entry after original post:
- Ability to allow traffic to any Address EXCEPT a defined definition(s). Often referred to as 'Not' operators.
Other user suggestions that I agree with:
- generate a complete fw config report (pdf ?) for auditing/documentation/revision
When all of these changes are implemented I would be confident in stating that Astaro will easily compete with any of the major firewall vendors. As I stated before Astaro is a great product, and can become even greater if the changes mentioned above are implemented and implemented well.
If anyone has any comments feel free to say what you think [:)].
Best Regards,
Astaro user
This thread was automatically locked due to age.
