The purpose of this article is to share an overview of Cisco Meraki MX firewall alternatives. Cisco Meraki has typically been a fit for small business customers and multi-site organizations where its dashboard provides enough value to IT departments. Some customers are finding however that their needs are outgrowing the limitations of Meraki MX firewalls and are looking for more sophistication from their firewall. I will review three other firewall product lines including Cisco ASA, Fortinet’s FortiGate, WatchGuard, and SonicWall.
Table of Contents
- Contact a Firewall Specialist
- Cisco Meraki MX Firewall Limitations
- Cisco Meraki MX Firewall Benefits
- Contact a Firewall Specialist
- Fortinet FortiGate vs Cisco Meraki
- Cisco FirePOWER vs Cisco Meraki MX Firewalls
- SonicWall vs Cisco Meraki
- WatchGuard vs Cisco Meraki MX Firewalls
- Contact a Firewall Specialist
Contact a Firewall Specialist
If you prefer to schedule a meeting to talk to a Network Architect about Cisco Meraki MX firewall alternatives, please fill out the form below for a free consultation (U.S. based only).
Cisco Meraki MX Firewall Limitations
The Cisco Meraki MX firewalls have some limitations compared to other firewalls on the market. Here is a list of common Cisco Meraki MX firewall limitations:
- HA failover can take up to 30 seconds due to their warm spare model. The firewalls are in active/standby vs active/active HA configuration.
- Fiber optics is only available on the MX75 and up models, making remote branches that require fiber automatically placed in higher-priced firewalls.
- Meraki provides basic destination NAT (port forwards), static NAT (one to one relationship) only. You cannot choose which IP for source NAT for traffic not returning for an existing flow. You cannot disable NAT on WAN interfaces
- There are limited QoS policies
- The only protocols supported for access-list entries are ICMP, TCP, UDP and “any”
- OSPF and BGP have been in beta, which requires you to submit a ticket in order to get it enabled
- You can’t configure IPSec VPN between two MX if the WAN ports have private IPs (such as in an MPLS). That’s because the MX firewall will not negotiate IPSec between two devices unless they are connected to the internet
- No CLS or automation scripting (no integration with Ansible, etc.)
- Cisco Meraki is a subscription model, if you’re not keeping your subscription, you will not keep the network
- No support for IPv6
- Use of built-in client-side VPNs (Windows/Mac/iOS)
Cisco Meraki MX Firewall Benefits
There are a lot of Cisco Meraki MX firewall benefits which is why they have been able to gain such great market-share. If you’re looking for Cisco Meraki MX firewall alternatives, then you will likely want to keep some of these features:
- Cloud-managed dashboard
- Single pane of management for firewalls, switching, and wireless access
- Network topology overview
- Ease of deployment from templates
- Granularity of details with endpoints (user, device, and application usage)
- Intuitive interface does not require much training
- Granularity of reporting and health status for applications across the WAN and LAN
- Monitor health performance of WAN links across entire organization
- Includes SD-WAN link aggregation and dynamic path selection
- Site-to-site auto VPN with SD-WAN
Contact a Firewall Specialist
If you prefer to schedule a meeting to talk to a Network Architect about Cisco Meraki MX firewall alternatives, please fill out the form below for a free consultation (U.S. based only).
Fortinet FortiGate vs Cisco Meraki
Fortinet has a similar model to Cisco Meraki. You can have a cloud managed dashboard to manage all your firewalls. It’s different in that you license the optional management software, FortiManager. Fortinet also sells switches and access points, which are all managed from the firewall. This is a great security design because it creates a security fabric across network infrastructure. Security policies are pushed down and managed from the firewall. Fortinet’s FortiGates are also much more sophisticated in terms of capabilities in terms of security, SD-WAN, and routing.
Here are some of the major differences or improvements going from Cisco Meraki MX firewalls to Fortinet’s FortiGate firewalls:
- SSL/TLS Inspection
- Security with mobile IPSec VPN
- Sub-second failover times with SD-WAN
- Natively supports enterprise routing stack (including BGP, which Meraki only supports in beta)
- IPv6 support
- Ability to scan files for malware that are over 5MB
- threat protection for east/west traffic
- Multiple SD-WAN links including LTE
- Outbound NAT and dynamic NAT support
From a licensing perspective, you do need to license an HA pair with the same exact license as the primary firewall. That means if you have the UTP license on one, you need it on both. You can mix and match terms, but that will just add confusion down the road when you need to renew. This is a major cost difference for FortiGates vs Meraki, SonicWall and potentially others as well.
Cisco FirePOWER vs Cisco Meraki MX Firewalls
Cisco Meraki fits the needs for most SMB and single-person IT departments. They are great for set-it-and-forget-it type deployments. They are great especially if you already have a Meraki switch or access point deployment. The question Cisco ASA vs Cisco Meraki MX firewalls is similar to that of Cisco SMB switches vs Cisco enterprise switches. There are a lot more features and customization with the Cisco ASA than there is with the Cisco Meraki MX firewall. A major difference between the two is that Cisco requires FirePOWER to manage the firewall. This can either be built-in to the firewall or a VM (requires VMware, no support for Hyper-V). Cisco FirePOWER also does not come with the ability to do SD-WAN. That must be done through Viptela (Cisco SD-WAN) or some other third party.
Here are some of the major differences or improvements going from Cisco Meraki MX firewalls to Cisco ASA FirePOWER firewalls:
- SSL/TLS Inspection
- Cisco AnyConnect VPN client is rock-solid
- No SD-WAN capabilities. Must use separate product (Cisco SD-WAN, aka Viptela)
- IPv6 Support
- Natively supports enterprise routing stack (including BGP, which Meraki only supports in beta)
- Outbound NAT and dynamic NAT support
SonicWall vs Cisco Meraki
SonicWall is a no-frills firewall. It has a legacy-looking dashboard with good management capabilities but is not as intuitive or has a rich graphical user interface like Meraki. Unlike Meraki it requires greater administration efforts, but also has more capabilities.
Here are some of the major differences or improvements going from Cisco Meraki MX firewalls to SonicWall:
- SSL/TLS Inspection
- NetExtender VPN client is a mature, rock-solid VPN client
- Includes SD-WAN
- IPv6 support
- Supports enterprise routing features including BGP and OSPF
- Outbound NAT and dynamic NAT support
- SonicWall does offer switches and access points as well
WatchGuard vs Cisco Meraki MX Firewalls
WatchGuard has turned itself from a firewall-only company to a security company by including new security products and integrating them into their firewall. They have had a strong reputation for SD-WAN, and being a strong firewall with good management capabilities and features. It lacks any network switching products but does have access point products. They also have endpoint security products like endpoint detection and response as well as DNS-Layer security.
Here are some of the major differences or improvements going from Cisco Meraki MX firewalls to WatchGuard:
- SSL/TLS Inspection
- IPv6 support
- Dynamic NAT
- Includes SD-WAN
- Has its own VPN client
- Supports enterprise routing features including BGP, OSPF, and RIPing
Contact a Firewall Specialist
If you prefer to schedule a meeting to talk to a Network Architect about Cisco Meraki MX firewall alternatives, please fill out the form below for a free consultation (U.S. based only).