Many folks out there say that the PIX is a legacy firewall that is just a glorified packet filter. Well, while they are not all together wrong the PIX does have a number of things going for it. It is a fairly fast, redundant, and simple firwall that is easy to manage and setup. Now many folks would also argue quite a bit about that last statment as well so to break it down:

It's fast: well it doesn't do too much to the packet to slow it down now does it? Since it is a statefull packet inpection firewall it just has to compare the packet to a set of conduits (or access-lists if you are smart), verify that there is a translation for the packet, and check it's state table. While it does have some "proxy" like settings called "fixup" they really don't seem to do a whole lot and don't really seem to proxy the packet, they seem to be more of a deeper packet inpection for protocols it knows about to verify that they conform to the application standards (correct me if I'm wrong here). But even these don't seem to slow it down much. There is certainly faster firewalls out there like the Netscreen (which I'm also a big fan of) but then the question is: how fast is fast enough?

Redundant: anyone who has ever messed with Stonebeat for Checkpoint firewalls realizes that redunancy isn't always that easy. The PIX has (almost) always had a fairly decent method for failing over to a redundance firewall. This was a bigger deal a few years back but now even Checkpoint has great failover when you run it on NOKIA and good redundancy is pretty much an industry standard. But looking back you could always count on the PIX, and yes I have had problems with it and have had to troubleshoot it not failing over, failing constantly, and unknown failing over but all in all it was pretty darn stable.

Easy to manage and setup: Well, ok not really. But once you have been working with the PIX for a while you can easily create standard template configs that you can easily upload to the PIX and get them up and running quickly. I'm also a big fan of configuration based network devices as it is easy to manage them, back them up, and control changes. There are numerous scripts out there that will regularly grab your config, check to see if it changed, alert you if it did, and back it up if it did. It's also easy to create update scripts and send them out to your devices, so while you can go to a central admin console for other systems you have always been able to do mass configuration updates using a simple script. Honestly, I won't purchase a firewall unless I'm able to manage it that way. Often times managing through a GUI is too inefficient, often does not show you the whole picture, and sometimes is unreachable.

Ok, there are firewalls that meet all of those qualifications and do much better like the Netscreen. There are definitly firewalls that provide better security like the Sidewinder. But the PIX is like a well worn shoe, it just feels more comfortable and it does do it's job well enough for more applications. I mean c'mon, you are locking your servers down right?

So flame on! Let me know what you think.

--The Packet Gopher

we have a pix here where i work it has worked great so far. knock on wood

Cluster XL for Checkpoint has reduced significantly the headache of failing over Checkpoint firewalls. Stone beat blows goats, man did that software lose us some customers. But like you, I cut my teeth on Cisco equipment. Say what you will about command line interfaces, any one-off configuration I have ever had to do was adequately documented on Cisco's website. Can't say the same for other vendors. Their tech support is still the best in the business. In short, no flaming here. I agree with you.

Yeah, ever since NOKIA got their hands on Checkpoint it has been a much better much more stable firewall. BUT, I hate their overly complicated POS GUI! OK, so I hate the GUI PIX configurator even more but who the heck even uses it.

Although, it's good to know checkpoint because there are so damn many of the things out there.

--P.G.