Network managers who have experience with older TZ-series firewalls will be especially impressed with the jump to the Cavium, as the new Cavium-compatible SonicOS Enhanced v5.5 brings a substantial set of useful features, including integrated SSL VPN, integrated in-the-cloud antispam service, and several new reliability options designed to increase uptime and performance.
We've been critical of SonicWALL's UTM performance in the past with pre-Cavium processors, so this transition to the Cavium brings much-needed performance boosts. In our testing, we found the TZ210 delivers more than 125Mbps of pure firewall power, although there is a significant slowdown when all UTM features (antimalware and intrusion-prevention system [IPS]) are enabled. This makes the TZ210, and its slightly smaller brother, the TZ200, an excellent choice for solid UTM coverage well within the bandwidth requirements of the SMB market.
We focused on two devices, the TZ200 and TZ210, in our testing. While the TZ200 looks like something Apple would sell with a white plastic case and curvy lines, it still boasts respectable specifications: five 10/100Mbps Ethernet ports, an optional 802.11n (2.4GHz only) 2X2 Wi-Fi, and raw firewall performance of 97Mbps in our tests. We concentrated on its bigger brother in the somewhat uglier (but more professional looking) boxy Volvo-esque metal case, the TZ210, with seven Ethernet ports (two Gigabit Ethernet, five 10/100), optional 802.11n (2.4 GHz) 3X2 Wi-Fi, and raw performance of 126Mbps in our tests. Both run the same software, and pricing for each is very attractive.
The TZ200 costs $400 to $450 (depending on whether you get the 802.11n/b/g Wi-Fi) while the TZ210 costs $600 to $750 (again depending on whether you want Wi-Fi). The TZ200 and TZ210 (and TZ100 as well) are sold without per-user or per-node limits. Many firewall manufacturers added per-node limits and extended licensing costs on their low-end appliances as a way to try and get more money from larger companies for the same hardware, but SonicWALL has now moved away from such customer-disappointing strategies. Both the TZ200 and TZ210 are normally sold with a year's software support, content filtering, antimalware, and IPS subscription for about $150 to $200 a year. Presumably the bigger price differential on the TZ210 hardware is because of the more powerful Wi-Fi (3X2:2, meaning three transmit antennas and two receive antennas, and two data streams, giving a maximum theoretical performance of about 300Mbps, if 40MHz channels are used) than the 2X2:2 Wi-Fi on the TZ200. The main theoretical advantage of the TZ210 wireless is a longer reach and more immunity from noise, not higher performance.
The new low-end appliances in SonicWALL's firewall line make a respectable bridge between SonicWALL's traditional small-office market and the larger enterprise business it has been aiming at these last few years. For example, while the TZ200 and TZ210 firewalls we tested don't support virtual LANs (a feature in SonicWALL's higher-end devices), they do let you break up each Ethernet port into a different security zone, giving tremendous flexibility in setting security policy.
On the TZ210, with seven Ethernet ports (including two Gigabit Ethernet), we set up some ports with the firewall as a router, others in pass-through (transparent) firewall mode with a different device handling routing, and used yet another port pair as Internet-facing outbound interfaces, load balanced between two different ISPs.
A few lingering restrictions remain that could be annoying in some deployments. For example, one of the TZ210's two Gigabit Ethernet ports is dedicated to Internet traffic and can't be changed to any "inside" function, such as a DMZ. That's a waste, since very few of us have 200Mbps Internet connections (the maximum rated speed of the TZ210), but it would be nice to have that kind of performance going from trusted inside network to the DMZ for applications such as backups. SonicWALL told us it wasn't aware of the restriction, and would work to lift it in future software versions.
The hardware in both devices was rock solid for us, and we did abuse it by shipping it to Europe for part of our testing, then bringing it back to the United States for the remainder. Not even a peep of protest from the hardware. Both units are fanless and use an external power supply. Another pleasant surprise: the power supply connector has a locking tab that firmly attaches it to the firewall, resolving a long-standing complaint with the traditional coaxial connector that is so easily tugged out.
While SonicWALL isn't necessarily blazing new ground in making a compact firewall with a handful of ports and built-in 802.11n wireless, the TZ200 and TZ210 are solid platforms that let the power of SonicOS shine through.
Basic firewalling and operations
New hardware and new features in the SonicWALL TZ200 and TZ210 don't hide the firewall, which is essentially unchanged from the last version we looked at. Existing customers using SonicWALL's previous generation of small firewalls at SonicOS v3.9 will see a new GUI, but the firewall function and style is unchanged from previous versions.
SonicOS 5.5 continues to have a versatile, but confusing view of network address translation (NAT). Unlike other firewalls that integrate the access control policies and NAT into a single view, which we find to be a conceptually simpler way to deal with NAT in most networks, SonicOS continues to separate them, much to the confusion of anyone who might want to understand and edit the NAT policies. For example, in our sample testing, our TZ210 firewall with no access control policies, other than the defaults, grew to 48 separate NAT policies all on its own. Fortunately, the defaults that come with SonicOS work pretty well for most Internet-focused environments. Still, SonicOS could be a lot easier to use and understand in the world of NAT.
Other basic access control features within the firewall are optimised for ease of use, and we found the definition and creation of policy to be a fairly simple matter. As a zone-based firewall, the TZ200 and TZ210 suffer from a common deficit: you can't manage access control rules that cover multiple zones. (Try to do so and you'll get the strangely confusing and ungrammatical "Some rule may not be created since network object does not match related zone" error message.) When the firewall only had three zones in it (LAN, WAN and DMZ, in SonicWALL's terminology), that was OK, but now that the firewall comes with seven zones out of the box, old weaknesses in rule management are becoming more significant. As with NAT, our firewall grew an amazing number of default rules, 93 to be exact, by the time we had finished adding a few extra zones and giving it some IP addresses. That's before we actually wrote any security policy. That's a lot of rules to start with when you think you have a clean slate.
In simple environments, the difficulty of managing a security policy that starts with so many rules may not be significant, since most small office policies can be expressed with a single rule, "let people on the inside go out," and rarely change from there. But after you've thrown in a couple of DMZs, guest access, wireless and VPN features, the legendary ease-of-use for SonicWALL may become an impediment rather than a benefit. This is definitely an area that needs some work in future versions of the product.
Years of experience have given even the basic software in SonicOS v5.5 a slew of advanced features. For example, outbound (Internet) load balancing and failover is now supported for up to four different Internet connections. The new hardware also offers the option of using the cell network as your outbound interface. We configured the TZ210 to use a GSM USB cellular "modem" as our backup when the main Ethernet interface was unavailable. The TZ210 detected the problem with the main outbound interface, used the GSM device to restore our outbound connectivity, and then shut it back off when the main Ethernet connection was available again. All of this was astonishingly simple to set up and use.