Firewall Vendors build appliances for the dump

Cisco, Juniper, Fortinet, Palo Alto and many others restrict the resell of their products through only authorized resellers, which destroys the secondary used market for such devices.

What’s even worse is in order to get software updates, repairs, replacements, or to register the device you must have purchased the device through the “authorized” resellers. The trick is you can only get the device new from the resellers such as CDW or a major seller, or if you wanted to import a used device you must have the “gray” market device “certified” that it is genuine and meets their quality control requirements. The price to certify a used device is MANY MANY times the price of a new device or what you may have paid for the device on eBay.

Sadly I have experienced this situation many times before. The first time I ran into this trouble was when I purchased a used ASA5506-X router from eBay. Later I bought a Juniper SRX300 and finally I tried getting a Fortinet firewall.

In every instance I pleaded my case to register the device as my own, as I have physical ownership of the device (possession is 9/10th the law?). In every instance the manufacture directed me to their gray market requirements. For example here is Juniper’s gray market requirements.

At the end of the day I couldn’t register the device, so I had no access to software updates, documentation, additional software or any services. I had an outdated used firewall with very little services beyond the ability to do basic routing and rule management. What a disappointment.

How are people expected to learn how to manage a firewall when the manufacture is gatekeeping the resources required to learn? I estimate that buying a Fortinet 40F+licenses and support would cost me maybe around $700+ for one year of support. What would I even use such a firewall for? I need it for a lab, not for my home. The bar for getting qualified with the latest firewalls is high.

Cisco’s prices would be even higher than Juniper with all their Firepower license requirements. I estimate it might cost me $1,000-$1,500 to get the hardware and software necessary to truly master their ASA firewalls.

So what does the life cycle for these products look like? I believe it goes something like this. A business buys the firewall with licenses and support. Once the device is no longer needed they sell them on sites like Amazon or eBay. Without any way to gain access to the support from the manufacture the device might sell, and if it does the buyer will have very limited access. I believe in most cases the appliance is simply thrown away, because who would buy a device without support?

Another quick point I wanted to make is how enterprise Firewalls have gone all in on the subscription service. Everything is a subscription. Take a Cisco ASA for example. They have a license subscription for Botnet support, IPS, Web Control, Smartnet, and Firepower. Each of these have a single year or multi year subscription. When you buy a firewall you pay every year for every piece of the product. Buying the product is just the start of your purchasing fun with whatever vendor you decide to use. Good luck 🙁

At the end of the day I finally decided on which firewall to use for my home, and which one to use for my labs. I’ll use the minimal enterprise firewalls for training in my lab where they will have no access to the world, but for my house I think I found the ultimate firewall – Opnsense!

OpnSense Firewalls

Opnsense is truly a liberating product with all the features I have been seeking. I’ll do a more elaborate post on their firewalls in the near future.