Firewall for web and app filtering education school

Azure SAML authentication for FortiGate SSL VPN MFA
Get answers from your peers along with millions of IT pros who visit Spiceworks.
Join Now

I'm aware of many topics already exist for the firewall for schools but my reason to post this is because the firewall prices are crazy high. Goes upto 20k USD in cases of sophos or fortigate.

Just wanted to check if someone is already running any inexpensive setup like let's say open source untangle or pfsense to do the same. I don't mind hosting a powerful server to do the job as long as it is cost effective and yearly UTM license is much affordable to renew.

I have up to 2,000 users to take care of.


Spiceworks Help Desk

The help desk software for IT. Free.

Track users' IT needs, easily, and with only the features you need.

4 Replies

· · ·
Bojan Zajc
Habanero
OP
Bojan Zajc This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

SI System Integration d.o.o. is an IT service provider.

Firewalls expert
69 Best Answers
292 Helpful Votes

Unfortunately this is the price point where you will find most of the UTM firewalls, when you talk about 2000 users.

However - I bet you never have all these 2000 users online at the same time! A school is not an office, where everyone would be sitting behind his computerized desk. At least 75% of all classes probably are held without any computers or other devices in the hands of your students.

And so the number goes rapidly down to 500 concurrent users or even less, where the prices are around 10k and less.

In most cases, firewalls are today licensed on their capabilities. The number of  'recommended users' is just a recommendation, not a limiting factor.

Still there are some rare exceptions, who will actually count every ARP address and set a hard limit for a given user count. But the majority of vendors has stopped doing so a long time ago.

So I would recommend you to collect some metrics about real life traffic on your networks. Measure throughput, connection counts, numbers of actually alive network nodes, to find out what the actual performance stats are, that you need to support.

Also split the educational, administrative and 'public/student' part of the network.

On the student/public part (student's phones, etc.) you will have very few limitations, because you can't enforce DPI/HTTPS decryption and inspection on this network. So possibly you could go for a much cheaper secondary solution in this part of the network, with far less inspection capabilities. I've seen these networks even being run on their own internet connection!

So that would leave you to handle Administration, staff and classrooms with a more high-end firewall.

Depending on the statistics you will collect, you might solve your problem with far less budget - without saving on the quality of the chosen solution.

At the same time, start looking what you actually could get for your money. I guess, you already have 'something'? Possibly you use the knowledge from that platform and continue with a newer generation of the same.

Or...when you would like something 'better'....simply start contacting vendors, request evaluation devices and see for yourself, what vendor/solution seems to be the best fit for you.

3
· · ·
eneeldSSI
Cayenne
OP
eneeldSSI This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

still-learning wrote:

I'm aware of many topics already exist for the firewall for schools but my reason to post this is because the firewall prices are crazy high. Goes upto 20k USD in cases of sophos or fortigate.

Just wanted to check if someone is already running any inexpensive setup like let's say open source untangle or pfsense to do the same. I don't mind hosting a powerful server to do the job as long as it is cost effective and yearly UTM license is much affordable to renew.

I have up to 2,000 users to take care of.

A Watchguard M470 will do what you want most likely, and costs nowhere near $20k including a 3yr renewal. I think the pair of them we bought (HA) was under $8k. Spent I think $800 on the two 4x SFP+ cards for them.

Powerful server = $$$$

License = $$$$..

You can't fool the math into making a server cheaper to run that has the same capabilities and power as an application specific appliance. 

You pay for the bandwidth handling ability of these things. If you only have a 100mbps line, then you don't need one that will handle 10Gbps.

4
· · ·
jonahzona
Datil
OP
jonahzona This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Another WG fan here. WG also offers competitive trade-in pricing, so if you are moving from another solution, you can save quite a bit.

One question is if your school is publicly funded. If you are (whether district or charter school) you will have access to E-Rate dollars, and firewall and subscriptions are covered nder Category 2 funds. Something to consider.

1
· · ·
still-learning
Jalapeno
OP
still-learning This person is a Verified Professional
This person is a verified professional.
Verify your account to enable IT peers to see that you are a professional.

Thank you everyone, we are going to have a online meeting with Untangle. Ill post the update over here if everything goes well with the pricing and the solution. 

0
Oops, something's wrong below.