Firewall recommendations for our church?

Hi All!

It is a pleasure to be in contact with you. I’m having a hard time trying to pick a Firewall that can serve our church , and at the same time, not spend more money than I have to.

We have 100Mbit symmetrical bandwidth. The ISP modem connects to a Cisco 3500 router (ISP owned), and that connects to our Edgerouter through LC3 fiber. All our switches are being fed by fiber too.
On busiest days, and at peak ours, we have around 200 clients connected to our network and a maximum peak of 25Mbit/s usage. (This includes: Guests, Staff, Volunteer networks)
I’m looking at something that can serve us for at least 4 to 5 years. My initial idea was a SonicWall NSa 2500, but I don’t know if that might be a bit overkilled.

I figured that if we have 200 clients, and we are only using 1/4th of our bandwidth, its probably people just having their devices auto-connect to our wifi, or maybe just reading something on their cellphones.

We have only one location, segmented in different buildings. Let me know if I can provide you with any other info. Thank you in advanced,


I would personally recommend a Fortinet 101E w/3 Year UTM Bundle (or 5 if you want) as top recommendation. If you go Sonicwall I would consider the 2650 over the 2600 due to the age of the model/limitations. (I assumed you meant 2600 not 2500.)


1 Like

My first question would be what are your primary concerns that are leading you to look for a firewall? The answers to that question will direct what you should look for.

We have a SonicWall at all of our campuses that also includes content filtering. We had a Cisco ASA before moving to SonicWall.

For that size network and wan speed, a sonicwall tz600 would be more than enough and considerably less than the nsa series units.
Even a tz500 would work well.
If you go sonicwall, make sure to get 3 years of the comprehensive gateway security suite.

And if you go sonicwall, reach out to Tom Templin at Ciber for great service and pricing,

Hello Cristian.

You can also consider Watchguard appliances. Not so expensive but very good value, high performance and high reliability.

Maybe look at the entry level tier; T70 or M270 models. I have used Watchguard for many years without issues. Never had an unscheduled downtime by God’s Grace. The VPN client is easy to use as well and the ability to load balance ISP connections gives me more options in the future.

The definition of firewall has evolved with new technologies, faster and cheaper hardware. I think you you should be greedy and, besides a NAT firewall, you should ask for Intrusion Prevention System (IPS), Country Block, VPN, parental/employee control, automatic software and security upgrade, realtime notification when Internet is down, or when there is suspicious activity, or when a malware is caught, getting weekly report, simultaneous WiFi4 and WiFi5, gigabit performance, lifetime hardware warranty, etc.

For those may I suggest our recently announced RC100 UTM appliance with all of those features and more coming: Roqos - Cybersecurity, IoT Security, user Controls, VPN & Dynamic DNS

Hi Chris, thanks for your reply. Yes, I meant NSa 2650. Will take a look at the Fortinet.

Thank you ALL for the replies:

Travis Phipps: I thought about a TZ 600. Its within our parameters (bandwith), but I’m not sure about the clients.
Norman Ho: I was thinking about WatchGuard too, but they are not that much inexpensive than a SonicWall.
Sezen Uysal: Will do research on Roqos.

We have sites on TZ600 with well over 1,000 simultaneous users. I’m sure it would meet your needs. FWIW.

Travis Phipps

I’m fond of the Ubiquiti UniFi Security Gateways. Depending on how big the church is you can look at anything from their tiny UniFi Security Gateway to the new UniFi Security Gateway XG.

The models run the same software, its the hardware that differs between them. I’m not sure how much the XG costs, but the little guy is $139 and their medium unit (the UniFi Security Gateway Pro) is $344 list.

All their USG’s include:

  • Traditional Firewall
  • VLAN Support
  • Site-to-Site VPN
  • QoS
  • Deep Packet Inspection (DPI)
  • Automatic WAN Failover
  • Automatic WAN Load Balancing

Did I mention there are no recurring license fees?

There is also Untangle, I haven’t used them in a few years (2012) but they offer an open source/free gateway with additional apps costing for specific security functions. I believe they also now have a HW device.

Finally, if you want to spend some money, I’d lean towards a Cisco ASA, but that may just be because I’ve been using them on and off for the past 13 years. :slight_smile:


Cristian: From Watchguard’s website it looks like they compete head on with SonicWall so not surprised the price point is similar.

Hi! Thanks you all for your suggestions. I really appreciate it. We have decided to move forward with a 2650 as a long term investment.