Firewall Recommendations

[koconnell]

Hi all, 

I hope that someone here could recommend a firewall for our school based on your own experiences.

At the moment we have a SonicWall NSa2700 which is at capacity and bottlenecking our internet service. For context, we are a large school with over 1100 students and 120 teachers. We have 1:1 Windows student devices and teacher devices, screen monitoring software and smart projectors. 

Is anyone in a similar school size/type able to recommend a firewall that is working well for them? 

Thank you!

Kelan

[John Pettey]

Hi Kelan

We have recently moved to Cisco Meraki - with added advantage of managed wifi access points (although you don't necessarily have to use that).

Regards

John

--
--
You received this message because you are subscribed to the Google
Groups "CESI-list" group.
To post to this group, send email to cesi...@googlegroups.com
To unsubscribe from this group, send email to cesi-list+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cesi-list?hl=en-GB where all messages are archived and are publically available to non members of the list. Messages may also show up in search engines etc.
Visit the web site www.cesi.ie
Attempts to use the list for commercial purposes may result removal from the list.
---
You received this message because you are subscribed to the Google Groups "CESI-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cesi-list+...@googlegroups.com.
To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/9f6fb2c8-e2f1-41f2-951e-14ca42a86571n%40googlegroups.com.

MallowCampus.ie - Facebook - Twitter - Instagram - Linkedin- YouTube 

Day Courses on offer in  COrk College of FET Mallow Campus and Charleville Centre.

Click here to check out all courses on offer for 2025-26 

Note: If you receive this email outside of your normal working hours, you are not expected to address the email until you return to work.

[Liam Onofrei - Ctrl Alt Delete]

Morning Kelan,

Can i ask what the broadband connection you using with the current genration SonicWall,please ? What generation is the NSA 2700 ?

If you have the PDST supplied broadband,then any router will do the job as long as it has a good CPU,RAM and GB WAN ports.I recommend Unifi UDM Pro as a start.

If you are using for a private line connection (for staff,unfiltered and unrestricted) then you have two options,based on few factors:

-what speed line your provider supplies, as some SonicWall devices have WAN ports traffic throughput limited to lets say 300Mb or 500Mb even if you use with a 1GB fibre line.

-what budget you have, as the firewall (and not the router itself) may come with premium licences for content filtering,IDS / IPS,GatewayAV/AS.Price of the device will be splitted in a device itself then another product named Total Security with one year active coverage licence for security services,

If you are familliar with the SonicWall product line,i recommend getting a TZ500 as starter, probable future proof a TZ600 NGFW series.

In terms of your internal network,keep in mind that the bottleneck could be the mirracast / bonjour / mDNS traffic inside your network. You will need to create some sort of network segmenting to allow for traffic shape/QoS and "isolation of the noisy" devices.It's well known that Apple and Gogole mirroring devices creates lots of  multicast "noise" and disturbs the network traffic. You may be looking at VLANs and / or network segmenting with smart switches to deal with the traffic based on classroom or building physical/logical blocks.If you are in Classroom1 and you can see TVs/Projectors/Devices mirrored from Classroom24, then that is a network segmentation issue.

Start with management / documentation of your internal network,wired /wireless, internal DNS,DHCP, segmenting/VLANs, setup "hub & spoke" core switch/access switches and keep an eye for unusual port failure / traffic errors. Once that done,then jump to a new firewall,if i can say so.

Fire -up a Wireshark session on your LAN segment and watch the noise... ;)  .

Good luck,

Sent with Proton Mail secure email.

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/CAERWCF%2Btton7tywtRjR7AfymaGZxiW3KA%2BAE38wg-%3DDxnw%3DZwg%40mail.gmail.com.

[Kelan O'Connell]

Hi Liam,

Thanks a mil for all of this info. Appreciated.

We have a dedicated 1GB Virgin Media fibre line in straight from their nearest exchange. It’s uncontested and synchronous.

Noticing a massive difference in cost between barebones firewalls and all of the additional packages and upgrades. Sometimes costs double or triple. It’s my understanding that only basic support packages are needed to access firmware updates?

I’ll take a look at some of those next generation firewalls you’ve suggested.

Interesting feedback regarding the multicast noise. That is certainly worth investigating.

Thank you again.

 

Kind regards,

 

Kelan O’Connell

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/XJ4Up7OkDcAqhsoy3TJdoeclkuQ0dC4dZ_A517XdZVoXrw_avzs89n_ayrzbDtEWGe1DtKjpAZ3feFDpJAwAh__C3_zyb86xXvLB7Fqg-t0%3D%40eteaching.ie.

This communication is confidential and is intended solely for the addressee. If you are not the intended recipient of this e-mail you may not use, copy, disclose, distribute or retain this message or any part of it. If you have received this e-mail in error, then please contact the sender of this message and delete the material.
Blackrock College, Rock Road, Blackrock, Co. Dublin, Ireland
Charity No.20144951│CHY No. 3688

[Chris Reina]

Hi Kelan,

Just checking with you…

I’m going to presume (perhaps incorrectly) that you have Oide supplied broadband with a Juniper box via Virgin Media. If not disregard the next bit!

That Juniper box IS a firewall and is controlled by Oide to stop any inappropriate content, etc. If you need something unblocked, you can contact them and they can open the ports / unblock the URL.

Generally (unless you have a very specific needs usage case) - you don’t need a second internal firewall.

The Sonic firewall you have in place should definitely be able to handle all requests incoming and outgoing perfectly adequately with a 1GB line for thousands of users and millions of requests. (https://www.sonicwall.com/products/firewalls/mid-range)

Just to clarify - is it perhaps the wireless network which is causing you issues with capacity? ie: what exactly is the issue - connectivity, routing, speed, IP address’, etc? Also - you should ensure any and all other equipment you have is all 1GB speed… otherwise regardless of incoming connection, between devices, the network will default to the slowest device.

As you say - firewalls can become extremely expensive very quickly and its worth ensuring all other components are correct before replacing one.

Many thanks!

Chris

> He / him - what’s this?

------------------------------------------------------------------------

MakerMeetIE
Maker Workshops & Training for S.T.E.A.M.
SCIENCE | TECHNOLOGY | ENGINEERING | ARTS | MATHS

PHONE: 087-2685020
WEB: www.makermeet.ie
TWITTER: @makermeetie
FACEBOOK: makermeetie
INSTAGRAM: makermeetie

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/AS2PR02MB90242E3EF28DA8236FECF9B4C1B72%40AS2PR02MB9024.eurprd02.prod.outlook.com.

[Kelan O'Connell]

Hi Chris,

 

Thank you!

No, this is a private Virgin Media connection with a Cisco router supplied.

The actual issue is that the firewall is freezing and we have been having network outages. Our MSP has said that based on metrics and the logs, the firewall is at bandwidth capacity and it’s causing it to freeze and drop the network.

All of our switches are gigabit and we have a Ubiquiti WiFi system too which we have had for about 4 years and never gave us any trouble. This new SonicWall firewall was put in during Summer replacing a FortiGate 100E that failed.

 

Kind regards,

 

Kelan O’Connell | Educational Technologist | Head of Computer Science

Blackrock College, Rock Road, Blackrock, Co. Dublin, A94 FK84.

E: koco...@blackrockcollege.com  | W: www.blackrockcollege.com  | Tel: +353 (1) 2669835

 

 

From: cesi...@googlegroups.com <cesi...@googlegroups.com> On Behalf Of Chris Reina
Sent: Thursday 10 April 2025 2:13 pm
To: CESI-list <cesi...@googlegroups.com>
Subject: Re: [CESI List] Firewall Recommendations

 

Hi Kelan,

 

Just checking with you…

 

I’m going to presume (perhaps incorrectly) that you have Oide supplied broadband with a Juniper box via Virgin Media. If not disregard the next bit!

 

That Juniper box IS a firewall and is controlled by Oide to stop any inappropriate content, etc. If you need something unblocked, you can contact them and they can open the ports / unblock the URL.

 

Generally (unless you have a very specific needs usage case) - you don’t need a second internal firewall.

 

The Sonic firewall you have in place should definitely be able to handle all requests incoming and outgoing perfectly adequately with a 1GB line for thousands of users and millions of requests. (https://www.sonicwall.com/products/firewalls/mid-range)

 

Just to clarify - is it perhaps the wireless network which is causing you issues with capacity? ie: what exactly is the issue - connectivity, routing, speed, IP address’, etc? Also - you should ensure any and all other equipment you have is all 1GB speed… otherwise regardless of incoming connection, between devices, the network will default to the slowest device.

 

As you say - firewalls can become extremely expensive very quickly and its worth ensuring all other components are correct before replacing one.

 

 

Many thanks!

Chris

 

> He / him - what’s this?

------------------------------------------------------------------------

MakerMeetIE

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/DC3A4EC7-553B-48B8-8A70-03C9B1E19BE4%40makermeet.ie.

[Greg Ashe]

What model Sonicwall do you have Kelan?

When you log into the Sonic - what kind of figures are you seeing on the Dashboard under System Status and System Usage?

Gregory Ashe

IT Manager

Main: +353 61 621010

Direct: +353 61 386443

Mobile: +353 87 2346850

      

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/AS2PR02MB9024755E45DE2F43F0E02EA2C1B72%40AS2PR02MB9024.eurprd02.prod.outlook.com.

NB Disclaimer Important: ​

Information in this email (including attachments) is confidential. It is intended for receipt and consideration only by the intended recipient. If you are not an addressee or intended recipient, any use, dissemination, distribution, disclosure, publication or copying of information contained in this email is strictly prohibited. Opinions expressed in this email may be personal to the author and are not necessarily the opinions of Glenstal Abbey. If this email has been received by you in error we would be grateful if you could immediately notify the sender, and thereafter delete this e-mail from your system.  You are requested to carry out your own virus check before opening any attachment. The author and Glenstal Abbey accept no liability for any loss or damage which may be caused by viruses, malware or malicious software.

​ 

CHY: 4001 I Charity Reg No: 20005283

Please consider the environment before printing this email.​

[Kelan O'Connell]

Hi Gregory,

We have a NSa2700. Unfortunately, we don’t have superadmin privileges on the firewall to log in. Only our MSP does.

From what I understand, we have an issue with new connections per second being at capacity. Our current peak for new connections is approximately 25,000 per second — peaked last week at 30,000 per second!

 

Kind regards,

 

Kelan O’Connell | Educational Technologist | Head of Computer Science

Blackrock College, Rock Road, Blackrock, Co. Dublin, A94 FK84.

E: koco...@blackrockcollege.com  | W: www.blackrockcollege.com  | Tel: +353 (1) 2669835

 

 

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/CAO3QJDtNgDYHDpXjXA%2BCvk3AgxsjWCPZqDiu4JTNi5VDMO_seQ%40mail.gmail.com.

[John Hegarty]

If you own the device I would insist on having the admin access passwords, if not you personally then someone in the management structure of the school with details filed away somewhere. 

It is fair that you might reassure whoever is managing it that you won't make changes without referring to them but I reckon you should have admin access to anything you own so you are able to give access to another support company if the first is no longer available for any reason as well as checking things out yourself as you see fit.

jh

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/AS2PR02MB9024E3C39909BBB85C83E391C1B62%40AS2PR02MB9024.eurprd02.prod.outlook.com.

[Greg Ashe]

The NSa2700 has a limit on 21,000 cps - so if you are regularly exceeding then you will have problems

If you have access to the Real Time Charts then you should be able to see what interface is getting hit - this might help to identify the source

Connection limiting/throttling may be possible and you should look into this.

The question is - is this simply natural progression growth in number of clients/devices OR it is something rogue

Gregory Ashe

IT Manager

Main: +353 61 621010

Direct: +353 61 386443

Mobile: +353 87 2346850

      

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/AS2PR02MB9024E3C39909BBB85C83E391C1B62%40AS2PR02MB9024.eurprd02.prod.outlook.com.

[Greg Ashe]

+1 JH on this

Absolute bottom line - you hold the aces not the other way around

Greg

Gregory Ashe

IT Manager

Main: +353 61 621010

Direct: +353 61 386443

Mobile: +353 87 2346850

      

To view this discussion, visit https://groups.google.com/d/msgid/cesi-list/CAPhqCnsYK13GFSGEBaUr%3Duog52T%3DRiNs2ojJWsvddgT5i7ikEA%40mail.gmail.com.