The story was not nearly as good with the other firewalls. Check Point's Security Gateway has a more elaborate and better thought-out configuration system with more bells and whistles. For example, with the Security Gateway you could exempt all domains in a certain category (such as financial services) from being inspected. The Security Gateway also passed all of our SSL validation checks, detecting revoked and self-signed certificates just fine. However, the Security Gateway can only inspect HTTP traffic on known SSL ports. This means that an application that runs over non-standard ports won't be inspected, and neither will any application that uses a different protocol — such as email, instant messaging, or file transfer.
Fortinet's FortiGate did a better job at covering more protocols, handling HTTP, SMTP, POP3, FTP, and IMAP running over SSL, but only on known ports. Fortinet's engineers told us that the SSL decryption is linked to their anti-virus transparent proxy system, which is what kept it from running across more ports. But what FortiGate made up for in coverage, it lost in configuration controls. There's no way to exempt traffic from decryption except by IP address, and the FortiGate let through both self-signed and revoked certificates, making two invalid web sites look as if they were well-secured, even when it was configured to block invalid SSL certificates.
We were also disappointed in the SSL decryption capabilities of the Barracuda NG Firewall. Unlike other next-generation firewalls, the NG Firewall requires you to explicitly configure HTTP clients (no other protocol is covered) to use the HTTPS proxy on the NG Firewall. This means that if the client can get through the firewall without using the proxy or send the traffic over any other port, it won't be able to apply next-generation controls or IPS signatures to the encrypted traffic, even if the traffic goes through the NG Firewall. Barracuda's engineers told us that this limitation will be lifted in Version 5.4.
Overall, the results were disappointing, since only one product, SonicWall SonicOS, supported what we considered basic functionality. This suggests that the products are still evolving rapidly to meet the requirements for this new product category and that the PR and marketing are moving a bit faster than the engineers.
Read more about wide area network in Network World's Wide Area Network section.