How to decide between NG Firewall and Micro Edge

Overview

Edge Threat Management consists of two different products: our full-featured NG Firewall and the lighter-weight Micro Edge. This article aims to help you decide which is the best for your deployment scenario.

What do both systems have in common?

• Both platforms are, first and foremost, NAT security devices. Each device will prevent unauthorized access into your network.
• Both devices are capable of layer-3 routing, DNS forwarding, and DHCP serving.
• Both can provide Web content filtering and IP reputation protections with our Web Filter and Threat Prevention apps.
• Both devices can provide VPN connectivity to remote VPN servers via IPsec, OpenVPN, and WireGuard VPN. Both products can be connected using ETM Dashboard's centrally-managed VPN feature.
• Both provide WAN balancing and failover capabilities.
• Both devices include traffic shaping and QoS features.
• Both systems have application identification, classification, and control features.
• Both support Zero-Touch Provisioning and central management through ETM Dashboard.

What is NG Firewall?

NG Firewall is a powerful, comprehensive Unified Threat Management system. It can be referred to as a "firewall", but it has many other features beyond a basic security firewall.

What advantages does NG Firewall have over Micro Edge?

• NG Firewall can be deployed in a public cloud, such as Amazon Web Services or Microsoft Azure.
• NG Firewall's routing features are more robust, offering support for OSPF & BGP dynamic routing as well as more granular control over layer-3 traffic controls. It also supports Dynamic DNS configuration.
• NG Firewall's feature selection is much greater, offering additional security & protection features: Virus Blocker, Intrusion Prevention, Captive Portal, User Directory, Policy Management, and SSL Inspector.
• NG Firewall can act as a VPN server, allowing remote clients & sites to connect via IPsec, OpenVPN, and WireGuard VPNs. Micro Edge can only act as a VPN client (it cannot accept incoming VPN connections).
• NG Firewall's Reports are significantly more powerful and informative than Micro Edge's limited reporting capacity. They're also much longer-term, allowing for up to one year's on-device retention. NG Firewall also supports remote syslog and SNMP, which are not available in Micro Edge.
• NG Firewall has user management features, enabling you to create different application & security policies for different groups of users. NG Firewall also supports a number of user authentication features, including Active Directory, Captive Portal, and 802.1x RADIUS proxying.
• NG Firewall also offers "bridge mode", allowing the NG Firewall to be placed into the network behind an existing router. In this configuration, most routing functions are deferred to the existing router, while the NG Firewall provides only its content filtering & protection applications. Micro Edge can only be positioned at the edge of the network.
• NG Firewall includes troubleshooting tools, which Micro Edge lacks.

What is Micro Edge?

Micro Edge is a lightweight edge routing device with a focus on providing connectivity for smaller sites in a distributed enterprise: branch locations, smaller "hub" sites in a hub-and-spoke configuration, and so forth.

What advantages does Micro Edge have over NG Firewall?

• Micro Edge features intelligent, predictive WAN routing, enabling it to determine in real time the best WAN to use for each outgoing session.
• Micro Edge's E6WL/Q6EWL appliance supports LTE connectivity via AT&T, T-Mobile, or Verizon Wireless. This connection can be used as either a backup or main internet connection.
• Micro Edge can be significantly less expensive than a full NG Firewall appliance.
• Micro Edge's administrative UI is more modern & responsive when compared with NG Firewall.
• Micro Edge licensing is based on the site's bandwidth, rather than individual host/user counts. This can result in more affordable subscriptions when compared with the full NG Firewall Complete package.
• Micro Edge can be much quicker to set up, as there are fewer options & applications to configure.

Example deployment scenarios

I have only one physical location.

NG Firewall is the recommended solution in this case. Micro Edge does not have the same security capabilities as NG Firewall and is not recommended for use as a standalone edge device.

If you have any road warriors or remote workers who need to be able to connect to the site, you must use NG Firewall: Micro Edge cannot accept incoming VPN connections.

I have multiple locations: one headquarters office and some small offices.

In this situation, we recommend NG Firewall at your main site and Micro Edge at each satellite office. Each Micro Edge will have a VPN tunnel to the NG Firewall.

You'll have two different VPN connectivity options:

• split-tunnel, meaning the VPN is only used to connect your specified remote subnets together. Any other traffic uses the site's own internet connection. Used in this way, Micro Edge provides a low-cost way to provide the branch offices with access to resources at the main office.
• full-tunnel, meaning that all traffic leaving the site crosses the VPN tunnel. This enables you to configure a single NG Firewall to handle all filtering & processing over multiple physical locations. It's especially useful if your branch offices have only a few hosts. (Note that in this configuration, the NG Firewall's hardware must be powerful enough to handle the entire network.)

You can mix and match split- and full-tunnel configurations to meet your needs. For example, one remote office may only need to access a local file server, but not need any of the more advanced capabilities of NG Firewall. You can use a split tunnel for that site, while using full tunnels for other sites which have more active workers or greater filtering needs.

You can also use smaller NG Firewall appliances at each branch office. This enables you to have remote workers connecting directly to their appropriate office. It also reduces the power needed in the central NG Firewall, as each individual site can conduct its own filtering.

I have multiple locations which need to be interconnected, but no central HQ.

In this case, the most common deployment would be an individual NG Firewall at each site. Each site can be connected to all other sites, or only to those you specify.

Alternatively, you could deploy a Micro Edge to each location and use an NG Firewall appliance installed to a public cloud service, such as Amazon Web Services or Microsoft Azure.

What if I need more assistance deciding?

Existing customers or partners should contact your Sales representative or the general Sales group:

• by phone at +1 (877) 754-2986, option 1
• by email at edge.sales@arista.com

If you are not an existing customer and you'd like more information, please reach out to edge.info@arista.com.