An Engineer’s Perspective on Managed Firewalls

Most of the articles you’ll read today on the pros and cons of MSP-managed firewalls focus on these two buzzwords – CapEx and OpEx.

While choosing upfront or recurring expenses is certainly an important decision for the business, as an engineer that installs both managed and non-managed firewalls for our customers, I wanted to share some technical aspects of the decision that should be considered as well.

Are Your Employees Trained?

Customers that want to migrate to or install a new non-managed firewall should consider if the employee(s) that will be managing this firewall know how to use it. If not, how long will it take them to get up to speed?

The Fortinet NSE4 certification, for example, is 5 days of training material, not including engineer practice time. Do your employees have this time to dedicate to learning how to use the FortiGate?

Best Practices, Advanced Configuration, and Troubleshooting

Knowing how to use the firewall extends beyond simply making a new policy or blocking a website. To make the most use of the new firewall, and to ensure the business is protected, the firewall admins should know how to:

  • Ensure any changes are made with configuration and security best practices
  • Utilize advanced features of the firewall, such as single sign-on
  • Incorporate and use other security devices and software to improve network security, visibility, and/or management (for example, devices in the Fortinet Security Fabric)
  • Troubleshoot all components if/when an issue arises for quick issue resolution

Vulnerabilty Migration and Patching

Finally, will your admins stay on top of firewall patches and vulnerabilities?

Firewall vendors regularly release updated firmware versions. These updates can include bug fixes, new features, vulnerability mitigations, and can sometimes even introduce new bugs of their own.

Your engineers will need to be prepared to keep an eye out for these updates and vulnerability announcements and assess the importance for your business.

Once it has been decided that a particular upgrade is necessary, you will want to ensure the new firmware is fully tested in a lab environment before being rolled out to production to avoid any surprises.

VPLS – Managed Firewalls

By choosing VPLS – Managed Firewalls, you ensure that your business had certified experts – holding Fortinet NSE8, Cisco CCIE Security, Palo Alto PCNSE, and more – deploying, managing, and monitoring your firewalls 24×7.


From my perspective, an engineer’s perspective, this is the biggest pro to choosing and MSP – Managed Firewall vs. managing it yourself.



More from the Author: