Management, like other Symantec corporate products, is done via the Windows management console. You power up the console and it gives you a choice of the firewalls you may connect to - choose one, enter the admin password and you're away. There's a 'Quick Start' wizard you can walk through to get your basic email and outgoing FTP/Web services set, and once this is done (if, indeed, you choose to do it) you have the more traditional rule-set that you can add to as you see fit. Unsurprisingly, the system has all the normal components you'd expect of a corporate firewall. You can define shorthand entities for hosts, domains, subnets and collections of machines (so you can refer to specific servers instead of having to remember IP addresses), time ranges (so you can apply rules for specific parts of the day or week) and protocols (you get a shedload of predefined protocols, but there's often a need to add your own). Because users (particularly those coming in over the VPN) can authenticate via a number of different means, from traditional to one-time key codes, there's a variety of authentication support that allows you to hook into existing corporate ID systems instead of being forced to have a local password file on the firewall. Access control is done the usual way, with sets of rules defining what's allowed and what's not. Incoming service requests can be redirected by service (so HTTP connections to host X can be sent to A and Email connections to X can be redirected to B). Network Address Translation is an obvious inclusion, of course, and proxy servers for a dozen or so service types (including FTP, HTTP, H.323 and SMTP) come as standard. Logging is essential on any firewall and SEF's is definitely above average. There's a nice logfile browser thrown into the management console alongside a load of default reports for the various aspects of the system (NAT, user logins, proxy services and so on). The final aspect we should mention is the now-obligatory interface to external content monitoring tools. Symantec's choice of external content monitor is Finjan SurfinGate. Setting up the system to hook into a SurfinGate server is just a case of writing in the address. Because different users have different legitimate surfing needs, you can set a collection of surfing 'profiles', that can be allocated to users as required. Overall
Given its heritage, it's no surprise that SEF includes all the features one would expect from a firewall and is relatively simple to configure. Although Windows Management Console can impose its clunkiness on admin packages, Symantec have worked well within its confines to produce a good overall product.
In any security product you should look not just for the features you need but also for a usable, comprehensible management interface. The more complex the latter is, the more likely you are to misconfigure something and open holes through to your private network.