Meraki Firewall Replacement Options?

We have been using Meraki for the last 5 years for firewall and most switches. We really like Meraki for its ease of manageability and quick and easy replacement. It has really let us keep our IT staff count low even though there is a cost premium, we feel we still come out ahead. We are looking at upgrading a few locations and maybe adding some. We are at 8 now and just adding another MX64 or MX84 would be the easy thing to do. There are some limitations with the firewalls that we’ve lived with and I’d like to see what else is out there that still provides:

• Central management of all Firewalls and switches
• Quick hardware replacement or cheap enough hardware to keep one on the shelf.
• Ability to have a lay-person install a replacement remotely (some of our campuses are quite far apart)
• Good performance! This is an issue we have run into with Meraki in that we have to buy a larger unit than we would like just to use the features we’ve paid for.
• Content/malware/av filtering
• Easy end user and site-to-site VPN setup (Meraki is only a 2 click setup for full mesh)
• Our only mission critical need is for streaming with Resi which is pretty forgiving but we have still had some issues with Meraki and some of the weird things it does.
• A good price point. Coming in at or below what the MX64 and MX84’s with Advanced Security License

If you have made the switch or are happy with your setup in a similar multi-site model, please let me know. Thanks!

We recommend SonicWALL, Jeremy. Great fit, and Tom Templin at Ciber makes them very affordable.**

We’ve been able to avoid/remove Meraki in a few environments by using Aruba or Cisco switching, Ruckus, Aruba or Cisco wireless, and Fortigate or Cisco firewalls.

In all of the cases, we only saved about ~20% over 5 years when you consider the software update services.

In all of the cases, we lost central management and provisioning. In all cases some settings need to be configured on-device over VPN’s or otherwise.

We have had an uncomfortably high number of failures or performance issues on top-to-bottom unifi networks - so we won’t install them for anything important anymore. While netgear insight seems to have better performance predictability than unifi - it does even less than unifi and needs to mature feature-wise before we can consider deploying it.

In practice we are using Meraki everywhere that is bigger than a dozen or two users in an environment, but too small to have dedicated network engineers on. If we have a need for dedicated network engineers to be on call, if I’m going to be paying for them anyways, then I’ll consider a “traditional” hodgepodge of device vendors/systems.

Turn off your filtering (other than DNS-based content if you need-it) on your Meraki’s - it’s consuming CPU cycles without returning much value in todays environments.

Also, make sure you aren’t exceeding the sizing guidance for your gateways (Regardless of vendor) - a lot of people seem to buy based on top-line throughput numbers, ignoring the client/session guidance. Those client/session limits are often more limiting than throughput in commercial settings.

As an example, The MX6_ series is only recommended for up to 50 simultaneous clients. Similarly, the MX8_ series is only recommended for up to 200 simultaneous clients and the MX100 is 500 simultaneous clients. You can probably get away with a 3:1 oversubscribe due to intermittent access patterns and device sleeping - but still, you run into these limits pretty quickly. As I said, these limits are to be respected across all vendors.

I still think Meraki makes a lot of sense, although I’d love to see a real competitor on the market.

-K

Thanks. We used to use Sonicwall but made the move to Meraki about 5 years ago. At that time it was more difficult to manage some things like our complicated VPN setup and constantly updating content filtering. Meraki made that easy but we did loose some more advanced features. May give them a second look.

Thanks Karl! That is some great insight. With some of our campuses over an hour from each other and limited IT staff, simplicity and remote management are key. My hope would be to get something that is more affordable once you get above the MX 64 and MX 84 lines. There’s a big cost jump between the two and an even bigger above that. We are very oversubscribed in the amount of users and bandwidth and for the most part it does all right. We only had to go to the MX 84 when we were having trouble with uploads. The downloads were still good.

At most of our smaller locations we use the Meraki firewall and then some unify switches and APs and it works pretty well. I have not done a full stack of either Meraki or unify. It’s usually a mix or with some ruckus thrown in too.

We do a lot of VPN configs for clients across the U.S. in SonicWALL… been very pleased.

You can take a look at Watchguard Firewalls. Value for money. Pretty durable as well.