How to decide between NG Firewall and Micro Edge

Overview

Edge Threat Management consists of two different products: our full-featured NG Firewall and the lighter-weight Micro Edge. This article aims to help you decide which is the best for your deployment scenario.

What do both systems have in common?

• Both platforms are, first and foremost, NAT security devices. Each device will prevent unauthorized access into your network.
• Both devices are capable of layer-3 routing, DNS forwarding, and DHCP serving.
• Both can provide Web content filtering and IP reputation protections with our Web Filter and Threat Prevention apps.
• Both include a Captive Portal feature.
• Both devices can provide VPN connectivity to remote VPN servers via IPsec, OpenVPN, and WireGuard VPN. 
• Both provide WAN balancing and failover capabilities.
• Both devices include traffic shaping and QoS features.
• Both systems have application identification, classification, and control features.
• Both support Zero-Touch Provisioning and central management through ETM Dashboard.

What is NG Firewall?

NG Firewall is a powerful, comprehensive Unified Threat Management system. It can be referred to as a "firewall", but it has many other features beyond a basic security firewall.

What advantages does NG Firewall have over Micro Edge?

• NG Firewall can be deployed in a public cloud, such as Amazon Web Services or Microsoft Azure.
• NG Firewall's routing features are more robust, offering support for OSPF & BGP dynamic routing as well as more granular control over layer-3 traffic controls. It also supports Dynamic DNS configuration.
• NG Firewall's feature selection is much greater, offering additional security & protection features: Virus Blocker, Intrusion Prevention, User Directory, Policy Management, and SSL Inspector.
• NG Firewall can act as a VPN server, allowing remote clients & sites to connect via IPsec, OpenVPN, and WireGuard VPNs. Micro Edge can only act as a VPN client (it cannot accept incoming VPN connections).
• NG Firewall's Reports are significantly more powerful and informative than Micro Edge's limited reporting capacity. They're also much longer-term, allowing for up to one year's on-device retention. NG Firewall also supports remote syslog and SNMP, which are not available in Micro Edge.
• NG Firewall has user management features, enabling you to create different application & security policies for different groups of users. NG Firewall also supports a number of user authentication features, including Active Directory, Captive Portal, and 802.1x RADIUS proxying.
• NG Firewall also offers "bridge mode", allowing the NG Firewall to be placed into the network behind an existing router. In this configuration, most routing functions are deferred to the existing router, while the NG Firewall provides only its content filtering & protection applications. Micro Edge can only be positioned at the edge of the network.
• NG Firewall includes troubleshooting tools, which Micro Edge lacks.

What is Micro Edge?

Micro Edge is a lightweight edge routing device with a focus on providing connectivity for smaller sites in a distributed enterprise: branch locations, smaller "hub" sites in a hub-and-spoke configuration, and so forth.

What advantages does Micro Edge have over NG Firewall?

• Micro Edge features intelligent, predictive WAN routing, enabling it to determine in real time the best WAN to use for each outgoing session.
• Micro Edge's Q6EWL appliance supports LTE connectivity via AT&T, T-Mobile, or Verizon Wireless. This connection can be used as either a backup or main internet connection.
• Micro Edge can be significantly less expensive than a full NG Firewall appliance.
• Micro Edge's administrative UI is more modern & responsive when compared with NG Firewall.
• Micro Edge licensing is simpler and more affordable than NG Firewall's.
• Micro Edge can be much quicker to set up, as there are fewer options & applications to configure.
• Micro Edge can be configured directly from ETM Dashboard, without needing to connect to the device itself. These policies can even be created when the device is offline or in transit, so they are deployed immediately when it connects to the Internet.

Example deployment scenarios

I have only one physical location.

NG Firewall is the recommended solution in this case. Micro Edge does not have the same security capabilities as NG Firewall and is not recommended for use as a standalone edge device.

If you have any road warriors or remote workers who need to be able to connect to the site, you must use NG Firewall: Micro Edge cannot accept incoming VPN connections.

I have multiple locations: one headquarters office and some small offices.

In this situation, we recommend NG Firewall at your main site and Micro Edge at each satellite office. Each Micro Edge will have a VPN tunnel to the NG Firewall.

You'll have two different VPN connectivity options:

• split-tunnel, meaning the VPN is only used to connect your specified remote subnets together. Any other traffic uses the site's own internet connection. Used in this way, Micro Edge provides a low-cost way to provide the branch offices with access to resources at the main office.
• full-tunnel, meaning that all traffic leaving the site crosses the VPN tunnel. This enables you to configure a single NG Firewall to handle all filtering & processing over multiple physical locations. It's especially useful if your branch offices have only a few hosts. (Note that in this configuration, the NG Firewall's hardware must be powerful enough to handle the entire network.)

You can mix and match split- and full-tunnel configurations to meet your needs. For example, one remote office may only need to access a local file server, but not need any of the more advanced capabilities of NG Firewall. You can use a split tunnel for that site, while using full tunnels for other sites which have more active workers or greater filtering needs.

You can also use smaller NG Firewall appliances at each branch office. This enables you to have remote workers connecting directly to their appropriate office. It also reduces the power needed in the central NG Firewall, as each individual site can conduct its own filtering.

I have multiple locations which need to be interconnected, but no central HQ.

In this case, the most common deployment would be an individual NG Firewall at each site. Each site can be connected to all other sites, or only to those you specify.

Alternatively, you could deploy a Micro Edge to each location and use an NG Firewall appliance installed to a public cloud service, such as Amazon Web Services or Microsoft Azure.

What if I need more assistance deciding?

Existing customers or partners should contact your Sales representative.

If you are not an existing customer and you'd like more information, please reach out to edge.info@arista.com