What network ports are used by Synology DSM services?

Last updated: Aug 10, 2023


The operations of DSM services require specific ports to be opened to ensure normal functionality. In this article, you can find the network ports and protocols required by DSM services for operations.



Setup Utilities

TypePort NumberProtocol
Synology Assistant9999, 9998, 9997UDP


TypePort NumberProtocol
Active Backup for Business5510 (Synology NAS)1TCP
443 (vCenter Server and ESXi host), 902 (ESXi host),
445 (SMB for Hyper-V host), 5985 (HTTP for Hyper-V host), 5986 (HTTPS for Hyper-V host)
Data Replicator, Data Replicator II, Data Replicator III9999, 9998, 9997, 137, 138, 139, 445TCP
DSM 5.2 Data Backup, rsync, Shared Folder Sync, Remote Time Backup873, 22 (if encrypted over SSH)TCP
Hyper Backup (destination)6281 (remote Synology NAS), 22 (rsync with transfer encryption enabled), 873 (rsync without transfer encryption)TCP
Hyper Backup Vault6281,
For DSM 7.0 or above: 5000 (HTTP), 5001 (HTTPS)
DSM 5.2 Archiving Backup6281TCP
LUN Backup3260 (iSCSI), 873, 22 (if encrypted over SSH)TCP
Snapshot Replication5566 (Advanced LUNs and shared folders)TCP
3261 (Legacy Advanced LUNs)TCP


TypePort NumberProtocol
BTFor DSM 2.0.1 or above: 16881,
For DSM 2.0.1-3.0401 or below: 6890-6999

Web Applications

TypePort NumberProtocol
DSM5000 (HTTP), 5001 (HTTPS)TCP

Mail Service

TypePort NumberProtocol

File Transferring

TypePort NumberProtocol
CIFS/SMBsmbd: 139 (netbios-ssn), 445 (microsoft-ds)TCP/UDP
Nmbd: 137, 138UDP
FTP, FTP over SSL, FTP over TLS21 (command),
20 (data connection in Active Mode), 1025-65535 (data connection in Passive Mode)2
iSCSI3260, 3263, 3265TCP
NFS111, 892, 2049TCP/UDP
WebDAV5005, 5006 (HTTPS)TCP


TypePort NumberProtocol
Audio Station1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 5353 (Bonjour service), 6001-6010 (AirPlay control/timing)TCP/UDP
C2 Identity Edge Server389 (LDAP), 7712 (HTTP), 8864TCP
Central Management System5000 (HTTP), 5001 (HTTPS)TCP
CIFS Scale-out Cluster49152-49252TCP/UDP
17909, 17913, 19998, 24007, 24008, 24009-24045, 38465-38501, 4379TCP
Cloud Station6690TCP
DHCP Server53, 67, 68TCP/UDP
DNS Server53 (named)TCP/UDP
LDAP Server (formerly Directory Server)389 (LDAP), 636 (LDAP with SSL)TCP
Download Station5000 (HTTP), 5001 (HTTPS)TCP
File Station5000 (HTTP), 5001 (HTTPS)TCP
Hybrid Share50051 (catalog), 443 (API), 4222 (NATS)TCP
iTunes Server3689TCP
Log Center (syslog server)514 (additional port can be added)TCP/UDP
Logitech® Media Server3483, 9002TCP
MailPlus Server1344, 4190, 5000 (HTTP), 5001 (HTTPS), 5252, 8500 – 8520, 8893, 9526 – 9529, 10025, 10465, 10587, 11211, 11332 – 11334, 12340, 24245, 24246TCP
MailPlus web client5000 (HTTP), 5001 (HTTPS)TCP
Mail Station80 (HTTP), 443 (HTTPS)TCP
Media Server1900 (UPnP), 50001 (content browsing), 50002 (content streaming)TCP/UDP
Migration Assistant7400-7499 (DRBD), 22 (SSH)3DRBD
Note Station5000 (HTTP), 5001 (HTTPS)TCP
Photo Station, Web Station80 (HTTP), 443 (HTTPS)TCP
Presto File Server3360, 3361TCP/UDP
Proxy Server3128TCP
RADIUS Server1812, 18120UDP
SMI-S Provider5988 (HTTP), 5989 (HTTPS)TCP
Surveillance Station5000 (HTTP), 5001 (HTTPS)TCP
Synology Calendar5000 (HTTP), 5001 (HTTPS)TCP
Synology CardDAV Server8008 (HTTP), 8443 (HTTPS)TCP
Synology Chat5000 (HTTP), 5001 (HTTPS)TCP
Synology Contacts5000 (HTTP), 5001 (HTTPS)TCP
Synology Directory Server88 (Kerberos), 389 (LDAP), 464 (Kerberos password change)TCP/UDP
135 (RPC Endpoint Mapper), 636 (LDAP SSL), 1024 (RPC), 3268 (LDAP GC), 3269 (LDAP GC SSL), 49152 (RPC)4, 49300-49320 (RPC)TCP
Synology Drive Server80 (link sharing), 443 (link sharing), 5000 (HTTP), 5001 (HTTPS), 6690 (file syncing/backup)TCP
Synology High Availability (HA)123 (NTP), ICMP, 5000 (HTTP), 5001 (HTTPS),
1234, 9997, 9998, 9999 (Synology Assistant), 874, 5405, 5406, 7400-7999 (HA)
Synology Moments5000 (HTTP), 5001 (HTTPS)TCP
Synology Photos5000 (HTTP), 5001 (HTTPS)TCP
Video Station1900 (UDP), 5000 (HTTP), 5001 (HTTPS), 9025-9040, 5002, 5004, 65001 (for using the HDHomeRun network tuner)TCP/UDP
Virtual Machine Manager2379-2382 (cluster network), ICMP, 3260-3265 (iSCSI), 5000 (HTTP), 5001 (HTTPS), 5566 (replication), 16509, 16514, 30200-30300, 5900-5999 (QEMU), 2385 (Redis Server)TCP
VPN Server (OpenVPN)1194UDP
VPN Server (PPTP)1723TCP
VPN Server (L2TP/IPSec)500, 1701, 4500UDP

Mobile Applications

TypePort NumberProtocol
DS audio5000 (HTTP), 5001 (HTTPS)TCP
DS cam5000 (HTTP), 5001 (HTTPS)TCP
DS cloud6690TCP
DS file5000 (HTTP), 5001 (HTTPS)TCP
DS finder5000 (HTTP), 5001 (HTTPS)TCP
DS get5000 (HTTP), 5001 (HTTPS)TCP
DS note5000 (HTTP), 5001 (HTTPS)TCP
DS photo80(HTTP), 443 (HTTPS)TCP
DS video5000 (HTTP), 5001 (HTTPS)TCP
MailPlus5000 (HTTP), 5001 (HTTPS)TCP
Synology Drive5000 (HTTP), 5001 (HTTPS)TCP
Synology Moments5000 (HTTP), 5001 (HTTPS)TCP
Synology Photos5000 (HTTP), 5001 (HTTPS)TCP

Peripheral Equipment

TypePort NumberProtocol
Network Printer (IPP)/CUPS631TCP
Network MFP3240-3259TCP


TypePort NumberProtocol
Resource Monitor/SNMP161TCP/UDP
WS-Discovery5357 (Nginx)TCP


  1. For the backup destination of Synology NAS, Hyper-V, or physical Windows/Linux/macOS devices.
  2. The default range varies according to your Synology product models.
  3. For the SSH service that runs on a customized port, make sure the port is accessible.
  4. Only Synology Directory Server version 4.10.18-0300 requires port 49152.

Further reading

Source :

Enable Remote Desktop (Windows 10, 11, Windows Server)

Last Updated: June 22, 2023 by Robert Allen

In this guide, you will learn how to enable Remote Desktop on Windows 10, 11, and Windows Server. I’ll also show you on to enable RDP using PowerShell and group policy.

Tip: Use a remote desktop connection manager to manage multiple remote desktop connections. You can organize your desktops and servers into groups for easy access.

Table of contents

In the diagram below, my admin workstation is PC1. I’m going to enable RDP on PC2, PC3, and Server1 so that I can remotely connect to them. RDP uses port TCP 3389. You can change the RDP listening port by modifying the registry.

Enable Remote Desktop on Windows 10

In this example, I’m going to enable remote desktop on PC2 that is running windows 10.

Step 1. Enable Remote Desktop

Right click the start menu and select system.

Under related settings click on Remote desktop.

Click the slider button to enable remote desktop.

You will get a popup to confirm that you want to enable Remote desktop. Click confirm.

Next, Click on Advanced Settings.

Make sure “Require computers to use Network Level Authentication to connect” is selected.

This setting will force the user to authenticate before it will start a remote desktop session. This setting will enable a layer of security and prevent unauthorized remote connections.

Step 2. Select Users Accounts

The next step is to ensure only specific accounts can use RDP.

By default, only members of the local administrators group will be allowed to connect using remote desktop.

To add or remove user accounts click on “select users that can remotely access this PC”.

To add a user click the Add button and search for the username.

In this example, I’m going to add a user Adam A. Anderson.

Tip. I recommend creating a domain group to allow RDP access. This will make it easier to manage and audit RDP access.

That was the last step, remote desktop is now enabled.

Let’s test the connection.

From PC1 I open Remote Desktop Connection and enter PC2.

I am prompted to enter credentials.


I now have a remote desktop connection to PC2.

In the screenshot below you can see I’m connected via console to PC1 and I have a remote desktop connection open to PC2.

Damware Mini Remote Control

Multiple monitor support. Reboot and wake sleeping computers remotely.

Remote access to Windows, Linux, and Mac OS X operating systems. In session chat, remote screenshot, file transfer, and more.

Download 14 Day Free Trial

Enable Remote Desktop on Windows 11

In this example, I’ll enable remote desktop on my Windows 11 computer (PC3).

Step 1. Enable Remote Desktop

Click on search.

Enter “remote desktop” and click on “Remote desktop settings”

Click the slider to enable remote desktop. You will get a popup to confirm.

Click the down arrow and verify “Require devices to use Network Level Authentication to connect” is enabled.

Remote Desktop is now enabled. In the next step, you will select which users are allowed to use remote desktop.

Step 2. Remote Desktop Users

By default, only members of the local administrators group can use remote desktop. To add additional users follow these steps.

Click on “Remote Desktop users”

Click on add and search or enter a user to add. In this example, I’ll add the user adam.reed.

Now I’ll test if remote desktop is working.

From my workstation PC1 I’ll create a remote desktop connection to PC3 (windows 11).

Enter the password to connect.

The connection is good!

You can see in the screenshot below I’m on the console of PC1 and I have a remote desktop connection to PC3 that is running Windows 11.

Enable Remote Desktop on Windows Server

In this example, I’ll enable remote desktop on Windows Server 2022.

Step 1. Enable Remote Desktop.

Right click the start menu and select System.

On the settings screen under related settings click on “Remote desktop”.

Click the slider button to enable remote desktop.

You will get a popup to confirm that you want to enable Remote desktop. Click confirm.

Click on Advanced settings.

Make sure “Require computers to use Network level Authentication to connect” is enabled.

Remote desktop is now enabled, the next step is to select users that can remotely access the PC.

Step 2. Select User accounts

By default, only members of the local administrators group will be allowed to connect using remote desktop.

To add additional users click on click on “select users that can remotely access this pc”.

Next, click add then enter or search for users to add. In this example, I’ll add the user robert.allen. Click ok.

Now I’ll test if remote desktop is working on my Windows 2022 server.

From my workstation (pc2) I open the remote desktop connection client and enter srv-vm1and click connect. Enter my username and password and click ok.

Awesome, it works!

I’ve established a remote session to my Windows 2022 server from my Windows 10 computer.

PowerShell Enable Remote Desktop

To enable Remote Desktop using PowerShell use the command below. This will enable RDP on the local computer.

Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0

You can use the below PowerShell command to check if remote desktop is enabled.

if ((Get-ItemProperty "hklm:\System\CurrentControlSet\Control\Terminal Server").fDenyTSConnections -eq 0) { write-host "RDP is Enabled" } else { write-host "RDP is NOT enabled" }

To enable remote desktop remotely you can use the invoke-command. This requires PS remoting to be enabled, check out my article on remote powershell for more details.

In this example, I’ll enable remote desktop on the remote computer PC2.

invoke-command -ComputerName pc2 -scriptblock {Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -name "fDenyTSConnections" -value 0} 

Group Policy Configuration to allow RDP

If you need to enable and manage the remote desktop settings on multiple computers then you should use Group Policy or intune.

Follow the steps below to create a new GPO.

Step 1. Create a new GPO

Open the group policy management console and right click the OU or root domain to create a new GPO.

In this example, I’m going to create a new GPO on my ADPPRO Computers OU, this OU has all my client computers.

Give the GPO a name.

Edit the GPO and browse to the following policy setting.

Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections;

Enable the policy setting -> Allow users to connect remotely by using Remote Desktop Services

That is the only policy setting that needs to be enabled to allow remote desktop

Step 2. Update Computer GPO

The GPO policies will auto refresh on remote computers every 90 minutes.

To manually update GPO on a computer run the gpupdate command.

When remote desktop is managed with group policy the settings will be greyed out. This will allow you to have consistent settings across all your computers. It will also prevent users or the helpdesk from modifying the settings.

That’s a wrap.

I just showed you several ways to enable remote desktop on Windows computers. If you are using Active Directory with domain joined computers then enabling RDP via group policy is the best option.

Related Articles

Recommended: Active Directory Permissions Reporting Tool

The ARM Permissions Reporting Tool helps you monitor, analyze, and report on the permissions assigned to users, groups, computers, and organizational units in your Active Directory

You can easily identify who has what permissions, where they came from, and when they were granted or revoked. You can also generate compliance-ready reports for various standards and regulations, such as HIPAA, PCI DSS, SOX, and GDPR

Get instant visibility into user and group permissions.

Download Free Trial

Source :

PHD Virtual Backup 6.0

By Vladan SEGET | Last Updated: June 28, 2023

PHD Virtual Backup 6.0 – Backup, Restore, Replication and Instant recovery. PHD Virtual has released their new version of backup software for VMware vSphere environments. PHD Virtual backup 6.0 comes up with several completely new features. Those features that are specific to virtualized environments. In this review I’ll focus more on those new features instead on the installation process, which is fairly simple. This review contains images, which can be clicked and enlarged (most of them) to see all the details from the UI.

Now first something that I was not aware of. Even if I work as a consultant, I must say I focus most of the time on the technical side of a solution which I’m implementing and I leave the commercial (licensing) part to vendors or resellers.  But with this review I would like to point out that PHD Virtual Backup 6.0 is licensed on a per-host basis. Not CPU Socket like some vendors do, but also not per site like other vendors do. As a result, their price is a fraction of the cost of competitive alternatives.

Introduction of PHD Virtual Backup and Recovery 6.0

The PHD Virtual Backup 6.0 comes up with quite a few new features that I will try to cover in my review. One of them is the Instant Recovery, which enables to run VM directly from a backup location and initiate storage vMotion from within VMware vSphere to move the VM back to your SAN.

But PHD Virtual goes even further by developing a proprietary function to initiate the move of the VM by using PHD Motion. What is it? It’s an alternative for SMB users which does not have VMware Enterprise and Enterprise Plus License, which includes storage vMotion.

PHD Motion does not require VMware’s storage vMotion in order to work. It leverages multiple streams, intelligent data restore, direct storage recovery to copy a running state of a VM back to the SAN, while the VM still runs in the sandbox at the storage location. Therefore, it is much faster at moving the data back to production than storage vMotion.

The delta changes to the VM are maintained in another, separate temporary location.  So the final switch back to SAN happens fairly quickly since only the deltas of changes between the VM which runs from the backup and the VM which is located back on SAN, are quickly copied. So small planned downtime (about the time for a VM reboot) is necessary.

Installation of the Software

PHD Virtual Backup 6.0

The installation will take like 5 minutes, just to deploy the OVF into vCenter and configure the network interface, storage …. and that’s it. Pretty cool!

One of those differences from previous version of PHD Virtual backup is the Instant Recovery Configuration TAB, since this feature has just been introduced in the PHD Virtual Backup 6.0.

The Instant recovery feature is available for Virtual Full backups only. The full/incremental backup types are not currently supported for instant recovery, so if you select the full/incremental option, you might see that the Instant Recovery option isn’t available. Use Virtual Full option when configuring your backup jobs to take benefit of Instant recovery.

PHD Virtual Backup and Replication 6.0 If you choose the full/incremental backup type, the Instant VM recovery isn't currently supported

PHD Virtual backup 6.0 – Replication of VMs.

Replication – This feature requires at least one PHD VBA installed and configured with access to both environments – but if you will be using replication in larger environments, you may need additional PHD VBAs. For instance, one PHD VBA deployed at the primary site would be configured to run regular backups of your VMs while a second PHD VBA could be deployed to the DR site configured to replicate VMs from the primary site to the secondary location.

The replication of VMs is functionality that is very useful for DR plans. You can also configure the replication within the same site as well, and choose a different datastore ( and ESXi host) as a destination. This is my case, because I wanted to test this function, since my lab don’t have two different locations.

The replication job works the way that only the first replica is full copy. PHD VM replication takes data from existing backups and replicates those to a cold standby VM. After the VM is initially created during the first pass, PHD uses its own logic to transfer only the changes from the previous run.

You can see the first and second job, when finishes on the image below. The latter one took only 51 s.

PHD Virtual Backup 6.0 - Replication Jobs

Testing Failover – After the replica VM is created, you have the option to test each replica to validate your standby environment or to failover to your replicated VMs. There is a Start Test button in order to proceed.

PHD Virtual 6.0 - testing failover button

What’s happening during the test. At first, another snapshot is created of the Replica VM. This is only to have the ability to get back to the state before the test. See the image below.

PHD Virtual Backup 6.0 - Testing the Replication with the Failover Test Button

This second snapshot is deleted the moment when you’re done with the testing of that failover VM, you tested that the application is working etc…. The VM is powered off and it is rolled back to the state it was in prior to testing mode.

So when you click the Stop Test button (it changed text), the replica Status is changed back to STANDBY, once again click Refresh button to refresh the UI.

If you lose your primary site, you can go to the PHD console at the DR site and failover the VMs which has been replicated there.  You can recover your production environment there by starting the VMs that has been replicated.  And now, when you run your production (or at least the most critical VMs) from DR site, and because you don’t have a failover site anymore, you should consider start backing up those VMs in failover mode….. it will be helpful when failing back to the main primary site, when damages there gets repaired.

Why one would have to start doing backups as soon as the VMs are in failover state ? …. Here is a quick quote from the manual:

When ending Failover, any changes made to the replica VM will be lost the next time replication runs. To avoid losing changes, be sure to fail back the replica VM (backup and restore) to a primary site prior to ending Failover mode.

I can only highly recommend to read the manual where you’ll find all the step-by-steps and all those details. In this review I can’t focus to provide all those step-by-step procedures. The manual is a PDF file very good quality, with many screenshots and walk through guides. In addition, there are some nice FAQ which were certainly created as a result of feedback from customer’s sites. One of them is for example a FAQ for increasing backup storage and the step-by-step follows. Nice.

You can see the possibility to end the failover test with the Stop Test button.

PHD Virtual Backup 6.0 - end falover test.

Seeding – If you have some huge amount of data to replicate for the DR site you can seed the VMs data before configuring the replication process. The seeding process is process when you pre-populate the VMs to the DR site first. This can be done through removable USB drives, or small NAS device. When the seeding is complete, you can start creating the replication jobs to move only the subsequent changes.

In fact the seeding process is fairly simple. Here is the outline. First create full backup of VMs > copy those backups to NAS or USB for transport >  Go to the DR site and deploy PHD VBA and add the data that you have with you as a replication datastore > create and run replication job to replicate all the VMs from the NAS (USB) to your DR site > Remove the replication datastore and the NAS and create the replication job where you specify the the primary site datastore as a source. Only the small, incremental changes will be replicated and sent over the WAN.

PHD Virtual Backup 6.0 – File level Recovery

File level recovery is a feature that is used at most in virtual environments, when it comes to console manipulations. I think, since more frequently you (or your users) are in need for file restore, than VM crashes or corruption, so the full VM needs to be restored.

I’ve covered the the FLR process in the 5.1 version by creating an iSCSI target and then mounting the volume as an additional disk in computer management, but the option was greatly simplified in PHD Virtual Backup 6.0. In fact when you run the assistant, you have the now a choice between the creation of iSCSI target and create windows share. I took the option Create Windows share.

All the backup/recovery/replication tasks are done through assistants. The task is composed with just few steps:

First selecting the recovery point , then create a windows share (or iSCSI target) > and mount this share to finally be able to copy-paste the files that needs to be restored from withing that particular VM.

The process is fast and direct. It takes few clicks to get the files back to the user’s VM. You can see the part of the process on the images at left and bellow.

PHD Virtual Backup and Replication 6.0 - file level restore final shot - you can than easily copy paste the files you need

PHD Virtual Backup 6.0 – Instant VM Recovery and PHD Motion – as said in the beginning of my review, the PHD virtual backup 6.0 has the ability to run VMs directly from backup location.

The Instant VM Recovery works out of the box without further necessity to setup the temporarily storage location, but if needed, the location for temporary changes can be changed from the defaults. But there is usually no need to do so.

You can do it in Configuration > Instant VM Recovery.

There is a choice between the attached virtual disk and VBA’s backup storage.

PHD Virtual Backup 6.0 - configuration of temporary storage location for Instant VM recovery

Then we can have a look and see how the Instant VM recovery option works. Let’s start by selecting the recovery point that we would want to use for that. An XP VM which I backed up earlier will do. Right Click the point in time from which one you want to recover (usually the latest), and choose recover.

PHD Virtual Backup 6.0 - Instant VM Recovery

At the next screen there is many options. I checked the Power On VM after recovery and Recover using original storage and network settings from backup. Like this the VM is up and running with network connectivity as soon as possible. I did also checked the option to Automatically start PHD Motion Seeding, which will start copying the VM back to my SAN.

When the copy finishes I’ll receive a confirmation e-mail…..  Note that you have a possibility to schedule this task as well.

PHD Virtual Backup 6.0 - Instant VM recovery and PHD Motion

On the next screen you can see the final screen before you hit the submit button. You can make changes there if you want.

PHD Virtual Backup 6.0 - Instant VM recovery and PHD Motion

The VM is registered in my vCenter and started from the backup location. 1 min later my VM was up. The VM was running from temporary storage created by PHD Virtual backup 6.0. The temporary storage that I configured before, when setting up the software.

You can see on the image below which tasks are performed by PHD Virtual backup 6.0 in the background.

PHD Virtual Backup 6.0 - Instant VM Recovery with PHD Motion

So, we have the Instant VM Recovery tested and our VM is up and running. Now there are two options, depending if you have storage vMotion licensed or not.

With VMware Storage vMotion – If that’s the case, you can initiate storage vMotion from the temporary datastore created by PHD Virtual back to your datastore located on your SAN.

When the migration completes, open the PHD Console and click Instant VM Recovery. In the Current tab, select the VM that
you migrated and click End Instant Recovery to remove the VM from the list.

Using PHD Motion – If you don’t have storage vMotion, you can use PHD Motion. How it works… Let’s see. You remember that during the assistant launching the Instant VM recovery, we selected an option to start PHD Motion seeding.

This option will start to copy the whole VM back to the datastore on the SAN (in my case it’s the Freenas datastore). I checked that option to start Automatically PHD Motion seeding when setting up the job, remember?

You can see it in the properties of the VM being run in the Instant VM recovery mode. On the image below you can see the temporary datastore (PHDIR-423…….) and the final destination’s datastore of the VM (the Freenas datastore).

PHD Virtual Backup 6.0 - Instant VM Recovery and PHD Motion

This process will take some time. So when you go back to the PHD Virtual console, you choose the Instant VM Recovery Menu option > Current Tab, you’ll see that Complete PHD Motion is grayed out. That’s because of the above mentioned copy hasn’t finished. Well it really does not matter, since you (or your users) can still work and use the VM.

PHD Virtual Backup 6.0 - Instant VM Recovery and PHD Motion

And you can see on the image below that when the seeding process has finished, the button Complete PHD Motion became activ. (In fact, the software drops you an e-mail that the seeding process has finished copying

PHD Virtual Backup 6.0 - PHD Motion

And then, after few minutes the VM dissapears from this tab. The process has finished the copy of the deltas and the VM can be powered back on. It’s definitely a time saver, and when no storage vMotion licenses (in SMBs) are available, this solution can cut the the downtime quite impressively. The History tab shows you the details.

PHD Virtual Backup 6.0 - Instant VM recovery with PHD Motion

PHD Virtual Backup 6.0 – The E-mail Reporting Capabilities.

PHD Virtual Backup 6.0 has got the possibility to report on backup/replication jobs success (failure). The configuration of it it’s made mores simpler now than in previous release, since there is a big Test button there in order to send test e-mail. I haven’t had any issues after entering the information for my e-mail server, but in case you’re using different ports or you’re behind a firewall, this option is certainly very useful.

PHD Virtual Backup 6.0 - E-mail Reporting Capabilities

In v6, PHD made the email reports WAY more attractive.  They have a great job summary at the job and lots of great information in a nicely formatted chart that shows details for each VM and each virtual disk.  They even color code errors and warnings.  Very cool.

PHD Virtual Backup 6.0 - E-mail reports

PHD Exporter

PHD Virtual Backup .60 has also few tools bundled within the software suite which can be useful. PHD Exporter is one of them. This application can help when you need to archive VMs with data. Usually you would want to install this software on physical windows server which has got a tape library attached. It’s great because you can schedule existing backups to be exported as compressed OVF files. So if you ever had to recover from an archive, you wouldn’t even need PHD to do the recovery.

The tool basically connects itself to the location where the backups are stored and through an internal processing does extract those backup files to be stored temporary in a location that you configure when you setting up – it’s called staging location. Usually it’s a local storage. Then the files are sent to tape for archiving purposes.

Through the console you configure exporting jobs where the VM backups are exported to staging location.

PHD Exporter - Tool to export backups to Tape for archiving purposes

PHD Virtual Backup 6.0 is Application Aware Backup Solution

PHD virtual Backup 6.0 can make a transactionally-consistent backups of MS Exchange with the possibility to truncate the logs. Log truncation is supported for Microsoft Exchange running on Windows 2003 Server 64 bit SP2 and later and Windows Server 2008 R2 SP1 and later.

When an application aware backup is started, PHD Guest Tools initiates the quiesce process and an application-consistent VSS snapshot is created on the VM. The backup process continues and writes the data to the backup store while this snapshot exists on disk. When the backup process completes, post-backup processing options are executed and the VSS snapshot is removed from the guest virtual machine.

PHD Virtual Backup 6.0 provides small agent called PHD Guest Tools, which is installed inside of the VM.  This application performs the necessary application aware functions, including Exchange log truncation. Additionally, you can add your own scripts to perform tasks for other applications. Scripts can be added before and after a snapshot, and after a backup completes. So it looks like they’ve got all the bases covered for when you might want to execute something on your own. I’ve tested with an Exchange 2010 VM and it worked great!

I was nicely surprised with the deduplication performance at the destination datastore. Here is a screenshot from the dashboard where you can see that the Dedupe ration is 33:1 and saved space 1.4 TB.

PHD Virtual Backup 6.0 - The dashboard

During the few days that I had the chance and time to play with the solution in my lab I did not have to look often in the manual, but if you do plan using the replication feature with several remote sites, I highly recommend to read the manual which is as I already told you, good quality.

PHD Virtual Backup 6.0 provides many features that are useful and provide real value for VMware admins. Replication and Instant Recovery are features which becomes a necessity providing short RTO.

PHD Virtual Backup 6.0  is an agent-less backup solution (except VMs which needs Application aware backups) which don’t use physical hardware, but runs as a virtual appliance with 1CPU and 1Gigs of RAM.  This backup software solution can certainly have its place in today’s virtualized infrastructures running VMware vSphere.

Please note that this review was sponsored by PHD Virtual.

Source :

Qnap QuTS hero h5.1.0 | Release Notes

QuTS hero h5.1.0

QuTS hero h5.1.0 brings many important new features to further enhance security, improve performance, and boost productivity for your QNAP NAS. You can now log in with more secure verification methods, delegate administrative tasks to general users, and centrally manage NAS devices via AMIZ Cloud. You can also benefit from smarter disk migration, smoother file browsing and search in File Station, more powerful SMB signing and file sharing, more convenient storage pool expansion, and much more. See What’s New to learn about main features and Other Changes to learn about other features, enhancements, and changes.

We also include fixes for reported issues and provide information about known issues. For details, see Fixed and Known Issues. You should also see Important Notes before updating QuTS hero.

What’s New

Storage pool expansion by adding disks to an existing RAID group

Users can now expand a storage pool by adding disks to expand an existing RAID group within the pool. When expanding the RAID group, users can also migrate the RAID group to a different RAID type.

To use this function, go to Storage & Snapshots > Storage > Storage/Snapshots, select a storage pool, click Manage > Storage Pool > Action > Expand Pool to open the Expand Storage Pool Wizard, and then select Add new disk(s) to an existing RAID group.

Support for SMB multichannel

Users can now allow SMB 3.x clients to establish multiple network connections simultaneously to an SMB file share. Multichannel can increase the network performance by aggregating network bandwidth over multiple NICs and mitigating network disruption by increasing network fault tolerance.

To enable SMB multichannel, go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Microsoft Networking, and then select Enable SMB Multichannel.

SMB multichannel is only supported on the following clients using SMB 3.0 or later:

  • Windows 8.1 and later
  • Windows Server 2012 and later
  • macOS Big Sur 11.3.1 and later

AES-128-GMAC algorithm support for SMB signing

QuTS hero h5.1.0 now supports the Advanced Encryption Standard (AES) Galois Message Authentication Code (GMAC) cipher suite for SMB signing. SMB signing can use this algorithm to encode and decode using 128-bit keys and can automatically negotiate this method when connecting to a client device that also supports the same algorithm standard.

To enable SMB signing, go to Control Panel > Network & File Services > Win/Mac/NFS/WebDAV > Microsoft Networking > Advanced Settings, and then configure the SMB signing settings. Make sure that you select the highest SMB version as SMB 3.

Delegated Administration for better organization flexibility and productivity

In modern organizations, IT administrators are often overwhelmed by a sheer number of tasks and responsibilities. QuTS hero h5.1.0 now supports Delegated Administration, which allows administrators to delegate various roles to general users, so that they can perform routine tasks, control their data, manage system resources, and monitor device status even when IT administrators are not available. You can choose from a wide range of roles, including System Management, Application Management, Backup Management, Shared Folder Management, and many more. To ensure system security, we recommend only granting permissions that are essential for performing required tasks.

This feature not only helps reduce the workloads of administrators but also greatly enhances productivity and flexibility for your organization. You can also easily view the roles currently assigned to each user and change their roles anytime according to your needs. To configure these settings, go to Control Panel > Privilege > Delegated Administration. To learn more about Delegated Administration, check QuTS hero h5.1.0 User Guide.

2-step verification and passwordless login for enhanced account security

QuTS hero now supports passwordless login, which replaces your password with a more secure verification method. Instead of entering a password, you can scan a QR code or approve a login request with your mobile device to verify your identify. QuTS hero now also supports more verification methods for 2-step verification. In addition to a security code (TOTP), you can also choose to scan a QR code, approve a login request, or enter an online verification code to add an extra layer of security to protect your NAS account.

To configure these settings, go to the NAS desktop, click your username on the taskbar, and then select Login and Security. You can download and install QNAP Authenticator from App Store or Google Play and pair this mobile app with your NAS to secure your NAS account. Note that you cannot use 2-step verification and passwordless login at the same time.

Centralized NAS management with AMIZ Cloud

You can now add the NAS to an organization when setting up the myQNAPcloud service for your NAS. This allows organization administrators to remotely access, manage, and monitor various system resources on the NAS via AMIZ Cloud, a central cloud management platform designed for QNAP devices.

To manage the NAS via AMIZ Cloud, you must enable AMIZ Cloud Agent in myQNAPcloud. This utility communicates with AMIZ Cloud and collects the data of various resources on your device for analytics purposes without any identifiable person information.

Automatic disk replacement with Predictive Migration before potential failure

Predictive Migration is a major improvement over the original Predictive S.M.A.R.T. Migration feature in Storage & Snapshots. This upgrade now allows users to specify multiple trigger events that prompt the system to automatically replace a disk before it fails.

Besides S.M.A.R.T. warnings, users can also specify trigger events from other monitoring systems such as Western Digital Device Analytics (WDDA), IronWolf Health Management (IHM), DA Drive Analyzer, and SSD estimated remaining life. When a specified trigger event occurs—for example, a disk ‘s Galois WDDA status changes to “Warning” or the SSD estimated remaining life reaches 3%—the system automatically replaces the disk and migrates all its data to a spare disk. This process protects your data better and is safer than manually initiating a full RAID rebuild after the disk fails.

To configure Predictive Migration, go to Storage & Snapshots > Global Settings > Disk Health.

Lists of recent files in File Station for easier file browsing

With the new Recent Files feature in File Station, you can now easily locate files that were recently uploaded, opened, or deleted. These three folders are conveniently grouped together under the Recent File folder at the upper left portion of File Station.

File content search in File Station with Qsirch integration

The original search function in File Station could only search for file names of a specific file type. With the integration of Qsirch into File Station, you can now search for file content using keywords, and also search for multiple file types using these keywords at the same time. To use this feature, you need to install Qsirch, an app that can index the files on your device and greatly facilitate your file search.

Other Changes

Control Panel

  • Users can now configure an individual folder to inherit permissions from its parent folder or to remove the inherited permissions anytime. Users can also make a folder extend its permissions to all its subfolders and files. To configure permission inheritance on a folder, go to Control Panel > Privilege > Shared Folders, and then click the Edit Shared Folder Permissions icon under Action.
  • Added additional specification information for memory slots in Control Panel > System Status > Hardware Information.
  • Changed the behavior and the description of certain permission settings as we do not recommend using the default administrator account “admin”.
  • Optimized the process of restoring the LDAP database.
  • The “Network Recycle Bin” feature has been renamed to “Recycle Bin” in Network & File Services.
  • The automatic firmware update settings have been streamlined with the following changes: – The selectable options for automatic firmware updates have been greatly simplified. Users now select one of three firmware types to automatically update their system with: quality updates, critical updates, or latest updates. – “Security updates” are now “critical updates”. Critical updates include security fixes as well as critical system issue fixes. – “Quality updates” now include security fixes and critical issue fixes in addition to bug fixes.- “Feature updates” are now “latest updates” and include quality and critical updates in addition to new features, enhancements, and bug fixes. – Update notifications no longer need to be enabled separately for each firmware type. Notifications are now either enabled or disabled for all firmware types.
  • The time interval for observing successive failed login attempts can now be configured to be between 0 and 600 minutes. Moreover, a time interval of 0 minutes means that failed login attempts are never reset.
  • You can now include more information from account profiles when importing and exporting user accounts.
  • You can now select the direction to append the custom header for the reverse proxy rule.
  • Users can now edit and enable or disable existing power schedules in Control Panel > System > Power > Power Schedule. Previously, users could only add or remove power schedules.
  • The “Network Recycle Bin” feature has been renamed to “Recycle Bin” in Network & File Services.

Desktop & Login

  • You can now log out of your account on all devices, browsers, and applications at once. To use this feature, go to the desktop, click your username on the taskbar, and then go to Login and Security > Password.
  • Added an icon on the top-right corner of the desktop to indicate whether the device has enabled myQNAPcloud and been associated with a QNAP ID or whether the device has joined AMIZ Cloud.
  • Users can now save their QuTS Hero login credentials in their web browser. To enhance the security of your QuTS Hero user account, we recommend enabling 2-step verification.

App Center

  • Users can now configure a schedule for automatic installations of app updates.

File Station

  • Added prompt banners to remind users to turn on related browsing functions for multimedia files.
  • Enhanced the Background Tasks display UI.
  • Improved File Station performance and enhanced file browsing experience.

Help Center

  • Redesigned the user interface of Help Center for a better user experience.


  • You can now purchase licenses during QuTScloud installation.

iSCSI & Fibre Channel

  • Added a new settings page for managing default iSCSI CHAP authentication settings, which you can use for multiple iSCSI targets. You can find these settings in iSCSI & Fibre Channel > Global Settings > Default iSCSI CHAP. When creating or editing a target, you can choose to use the default CHAP settings or configure unique settings for the target.
  • Added the client umask feature to assign default permissions for existing and new files and folders.
  • When creating an iSCSI target, you can now select the network interfaces that an iSCSI target will use for data transmission. Previously, users could only do so after the target was created.

Network & Virtual Switch

  • Network & Virtual Switch can now record event logs when the system identifies conflicting IP addresses between the local device and another device on the same network.
  • Users can now configure the MAC address when creating or modifying a virtual switch.
  • When selecting the system default gateway automatically, you can now configure the checking target by specifying the domain name or IP address.


  • NFS service now supports both NFSv4 and NFSv4.1 protocols.
  • Users can now set the rcpbind to assign fixed ports to RPC services. Make sure that you configure the firewall rules accordingly to allow connections only on the fixed ports.

PHP System Module

  • Updated the built-in PHP version to 8.2.0.

Resource Monitor

  • Resource Monitor now displays the space used by files created from Qsync file versioning.


  • Updated Samba to version 4.15.
  • You can now aggregate up to 50 shared folders on a Windows network.

Storage & Snapshots

  • Added support for disk failure prediction from ULINK’s DA Drive Analyzer. Registered users of DA Drive Analyzer can now also monitor disk failure prediction statuses in Storage & Snapshots > Storage > Disks/VJBOD > Disks.
  • Added support for Seagate dual-actuator disks. These disks appear with a “Seagate DA” tag in Storage & Snapshots > Storage > Disks/VJBOD > Disks.
  • Added support for Western Digital Device Analytics (WDDA) for Western Digital (WD) disks. To view WDDA information, go to Storage & Snapshots > Storage > Disks/VJBOD > Disks, select a WD disk, and click Health > View Details.
  • Improved the “Enable Read Acceleration” feature so that it not only improves the read performance of new files added to a shared folder (starting in QuTS hero h5.0.1), but also improves the read performance of existing files (starting in QuTS hero h5.1.0). This feature can be enabled for shared folders after upgrading from QuTS hero h5.0.0 or earlier to QuTS hero h5.0.1 or later.
  • Increased the maximum number of disks in RAID-TP from 16 to 24.
  • Redesigned the presentation of disk information into tabular format for enhanced user experience, now viewable in Storage & Snapshots > Storage > Disks/VJBOD > Disks.
  • Renamed the function “Replace & Detach” to “Replace” and added the option for users to choose whether to designate the replaced disk as a spare disk or to detach it from the system.
  • You can now select up to 24 disks for a single RAID-TP group.
  • Encrypted LUNs are now supported in VJBOD, SnapSync, Snapshot Replica, and snapshot import/export operations.
  • Improved the user interface on various snapshot-related screens.
  • Users can now change the destination IP address in Snapshot Replica jobs.
  • Added a new window that automatically appears when you insert new disks and helps you decide what to do with them. You can also access this window any time by going to Storage & Snapshots > Storage > Disks/VJBOD > Disks > More > Manage Free Disks.
  • After rebuilding a RAID group with a spare disk, the failed disk’s slot becomes reserved for a spare disk. To free up this slot for other purposes, go to Storage & Snapshots > Storage > Disks/VJBOD > Disks, select the disk slot, and click Action > Free Up Spare Disk Slot.
  • Users can now enable and disable QNAP SSD Antiwear Leveling (QSAL) on an existing SSD storage pool any time. Richer information is also available for QSAL-enabled pools, including replacement priority recommendation and charts showing the remaining capacity and life of the SSDs in the pool. To configure QSAL or view QSAL information, go to Storage & Snapshots > Storage > Storage/Snapshots, click an SSD storage pool, and then click Manage > QSAL.


  • You now need to enter a verification code when resetting your password if you forgot your password. This extra step helps enhance your account security.

Important Note

  • In QuTS Hero h5.0.1 or earlier, users can no longer create new VJBOD disks from a remote NAS if the remote NAS is running QuTS Hero h5.1.0 or later. If there are existing VJBOD disks connections to the remote NAS before it is updated to QuTS Hero h5.1.0 or later, these VJBOD disks are unaffected and remain operational after the update. In QuTS Hero h5.1.0 or later, users can still create VJBOD disks from a remote NAS running QuTS Hero h5.0.1 or earlier.
  • Removed support for CO Video.

Source :

Fixing WSUS – When the Best Defense is a Good Offense

By Johan Arwidmark / April 12, 2018

This week started pretty harsh, a ton of customers reaching out to our team having WSUS issues. Everything from the “traditional” CPU and Memory spikes, to severe network traffic over port 8530 to the WSUS/SUP server. Basically Clients downloading massive amount of info, some customers reporting up to 700 MB per endpoint.

Note #1: One ongoing issue right now seem to be that the Windows version next updates contains a ton of metadata, causing a massive headache for WSUS admins. See below for scripts to help cleanup the mess, and to perform needed maintenance tasks. Also, if you are missing some info here, let me know. I’m @jarwidmark on Twitter.

WARNING: Whatever solution you pick for the maintenance of your WSUS/SUP server, ensure that you do not sync your WSUS/SUP during the maintenance process!

WSUS Housekeeping

Until Microsoft replaces WSUS with something better, you have to do some housekeeping for WSUS to behave. Your mileage is going to vary, but you simply have to keep the WSUS database in shape, as well as declining unused updates. Here are a few resources that can help when WSUS goes bad.

The network traffic from WSUS can also be heavily loaded due an out-dated Microsoft Compatibility Appraiser version on the machines. See this KB:

Unexpected high network bandwidth consumption when clients scan for updates from local WSUS server

I have also published a PowerShell script you can run, either via remote PowerShell, or via the “Run Script” feature in ConfigMgr:

Checking the Microsoft Compatibility Appraiser version to prevent unwanted network traffic

Step 1 – Buy you some time

When all 8 CPU’s on your site site server are constantly at 95-100 percent, there is little room for any admin work, nor cleanup. So make sure to throttle CPU on the WsusPool application pool, to give you some working room.

WsusPool application pool.

Here is a good write-up of the preceding steps.

ConfigMgr Software Update Point: Out-of-Control App Pool

Step 2 – More application pool settings, and the WSUS web.config file

Next step is to configure everything else in the application pool, together with the web.config file. I was lazy so I “borrowed” some settings from Sherry’s post below, and added them to a PowerShell script: http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Invoke-WSUSConfiguration.ps1

The script came from a series of ConfigMgr Configuration Items posted by Sherry Kissinger 

WSUS Administration, WSUSPool, web.config, settings enforcement via Configuration Items

Step 3 – Decline weird stuff

Use any or all of the listed solutions to get rid of junk in your WSUS database:

Tip: Before starting to run decline scripts, PowerShell / SQL etc., make sure your SUSDB is not heavily fragmented. Use the Maintenance Solution from Ola Hallengren to optimize the SUSDB indexes: http://ola.hallengren.com/

Optional Speed Tip: If you don’t mind going totally unsupported, you can create additional indexes in the WSUS database that speeds up the cleanup dramatically. More info here: http://kickthatcomputer.wordpress.com/2017/08/15/wsus-delete-obsolete-updates, a great post by Scott Williams (@ip1). Again, not supported by Microsoft so don’t blame me if something happens 🙂 Fun fact: In my environment that change made the deletions go 30 times faster!!!

Here is a copy of the “code”: http://github.com/DeploymentResearch/DRFiles/blob/master/Scripts/Create-WSUS-Index.sql

Decline weird stuff #1 – Fully Automate Software Update Maintenance in Configuration Manager

As the title implies, a script that automates software updates, including cleanup, optimization and more. Written by Bryan Dam (@bdam555).

Update April 17, 2018: Bryan recently updated the script to support standalone WSUS too, below you find a sample syntax for that:

.\Invoke-DGASoftwareUpdateMaintenance.ps1 -UpdateListOutputFile .\UpdateListOutputFile.csv -StandaloneWSUS WSUS01 -RunCleanUpWizard -DeclineSuperseded -DeclineByTitle @('*Itanium*','*ia64*','*Beta*') -DeclineByPlugins -Force

Decline weird stuff #2 – SQL Cleanup scripts

Some shiny SQL scripts from paul salwey @psalwey

Especially checkout the WSUSSQLMaintenance_4_DeclineUpdates_XML_Lengthover5000.sql one. I had not seen that before.


Tip on usage:

  1. Reindex
  2. Obsolete script
  3. Superseded script
  4. XML script
  5. Reindex again
  6. Reboot server

Tip #1:  If you have a lot of obsolete updates (Script 2.), consider using an alternate version below that runs in batches, and also shows total number of updates. The script is from Scott Williams (see Resource #6 further down this post). I just added a comment on where to change the batch numbers.


Tip #2: If you just want to quickly see how many obsolete updates you have, use this script:


Tip #3: Benjamin Reynolds (@SqlBenjamin), with Microsoft, has put together a combination of creating indexes for speed with a more optimized version of cleaning up obsolete updates, and Steve Thompson (@Steve_TSQL), has it all explained and published here: http://stevethompsonmvp.wordpress.com/2018/05/01/enhancing-wsus-database-cleanup-performance-sql-script/

Decline weird stuff #3 – Decline Updates Script by Jeff Carreon

In the same post as the SQL script to view updates with large metadata (In the “Additional Resources” section” further down this post), you find a great decline update scripts by Jeff Carreon (@jeffctangsoo10). It’s in the same post as the SQL script, but kind of hidden if you don’t look carefully. Here is a direct link:


By default the script run in “What-If” mode ($TrialRun set to $True). Here is a syntax to run it in declining mode, without sending an email report:  

.\Run-DeclineUpdate-CleanupV3.ps1 -Servers CM01 -TrialRun:$false -EmailReport:$false

Decline weird stuff #4 – WSUS Automated Maintenance (Formerly Adamj Clean-WSUS

I have not personally tested this one, but the community seems to like it quite a bit. Cleanup and DB script from Adam Marshall (@Adamj_1)


Additional Resources

Here follows some additional resources that I found useful:

Resource #1 – Script to view updates with large metadata

Here is another contribution from Sherry’s team. This SQL script was put together by Jeff Carreon, after working with Microsoft support on a WSUS performance issue. Very shiny.

The script is used to identify and measure the metadata that the clients are downloading, it tells you what articles (fancy word for update metadata) the are deployable and the size of each article.

What’s SUP???


Resource #2 – The complete guide to Microsoft WSUS and Configuration Manager SUP maintenance

Info from Microsoft. The title is a bit misleading, since it’s not actually a complete guide. But there is still lots of good info.


Resource #3 – Clients cannot report Scan Results back to WSUS

During the day, Matthew Krause (@MatthewT_Krause) also provided info on an issue he was having: Quite many clients, 75 percent out of 6500,were not reporting back the scan results to WSUS. Basically the server got overloaded with IIS 500 errors as the clients kept trying to report scan results, fail, and then try again. In the WindowsUpdate.log on the client they found that clients would get the error message stating invalid parameter but the sub message was Message:parameters.InstalledNonLeafUpdateIDs (see below).


WindowsUpdate.log on a client failing to report back scan results.

So if you are running into the non-leaf error message, one solution that proved to be working was changing the maxInstalledPrerequisites value in the WSUS Web.config file, and then do an IIS Reset. Doing this change made 90% of clients report scan results back within one day for this environment.

Change WSUS Web.config from:

<add key=”maxInstalledPrerequisites” value=”400″/>


<add key=”maxInstalledPrerequisites” value=”800″/>

Resource #4 – Optimizing WSUS with Configuration Manager, via Adaptiva

Good WSUS overview article with a few technical tricks in it. Written by Matt Tinney (@mnt2556) from Windows Management Experts.


Resource #5 – Unleash WSUS performance, via Pawel Jarosz

Here is another reading I found useful.

Simon says – unleash WSUS performance


Resource #6 – WSUS Delete Obsolete Updates, via Scott Williams

Yet another useful resources. Written by Scott Williams (@ip1).

WSUS Delete Obsolete Updates

That all for now,

Happy Deployment / Johan

Source :

WSUS Delete Obsolete Updates

Posted: August 15, 2017
in Configuration Manager, Information, SQL, Windows Update
Tags: delete obsolete updates, deleteobsoleteupdates, index, wsus

NOTE: Usual warnings apply. Do a backup before making any changes. If you are unsure about anything in the post then ask or look for more information or help before attempting it.

Over time WSUS will accumulate update metadata that can create performance issues for clients. In large environments this can be quite an issue.

There is a script Microsoft often provides during Premier Support calls to cleanup this update metadata, however there are a few issues:

  • The query can take a *really* long time to run if there are a lot of updates to cleanup. In some cases it can take *days*
  • You need to stop all the WSUS services while it runs
  • If it fails for whatever reason, it will have to start all over because it doesn’t commit the changes until it completes successfully
  • While it runs, the TEMPDB and Transaction logs will grow quite significantly until the data is committed
  • It gives no useful information on progress

There is a TechNet article (This is essential reading and has LOTS of important stuff) and a Forum Post where an improved version was written that gave progress of the cleanup, however it didn’t address the temp/transaction growth issues or the time issues. To this end I have applied my very rudimentary SQL scripting skills.

To find out just how many updates are waiting to be cleaned up, run this stored procedure:

EXEC spGetObsoleteUpdatesToCleanup

Firstly, when the script runs on a default WSUS install it can take over a minute to process *each* record. If there are thousands or tens of thousands or updates to remove this is going to take a while. There is an index you can add to the WSUS table that dramatically improves this so it happens at about 1 second per record. Microsoft confirmed this index is OK, however it is not officially supported (at time of writing)

CREATE NONCLUSTERED INDEX [IX_tbRevisionSupersedesUpdate] ON [dbo].[tbRevisionSupersedesUpdate]([SupersededUpdateID])
CREATE NONCLUSTERED INDEX [IX_tbLocalizedPropertyForRevision] ON [dbo].[tbLocalizedPropertyForRevision]([LocalizedPropertyID])

Now to the cleanup script. Simply this script will cleanup obsolete records, provide progress feedback and also allow you to run it in small blocks. This allows you to run in short blocks without needing to stop the WSUS server and avoids generating huge transaction loads on the SQL server.

To “tweak” the script, modify this line with the number of updates you want to do in each block. Start with 50, see how it runs in your environment and increase as needed. Ideally don’t run batches that take more than 5-10 minutes to prevent those SQL transaction logs growing.

IF @curitem < 101

If you do want to run a larger batch that may take hours, you should of course stop the WSUS services to do so. Also, don’t run this script if a WSUS Sync is in progress or scheduled to start.

DECLARE @var1 INT, @curitem INT, @totaltodelete INT
DECLARE @msg nvarchar(200)
CREATE TABLE #results (Col1 INT) INSERT INTO #results(Col1)
EXEC spGetObsoleteUpdatesToCleanup
SET @totaltodelete = (SELECT COUNT(*) FROM #results)
SELECT @curitem=1
BEGIN SET @msg = cast(@curitem as varchar(5)) + '/' + cast(@totaltodelete as varchar(5)) + ': Deleting ' + CONVERT(varchar(10), @var1) + ' ' + cast(getdate() as varchar(30))
EXEC spDeleteUpdate @localUpdateID=@var1
SET @curitem = @curitem +1
IF @curitem < 101
DROP TABLE #results

If for any reason the script is interrupted, you will find SQL still has the transaction table open and won’t let you run again (There is already an object named ‘#results’ in the table). To resolve this highlight and execute the last line to drop the table.

If this still doesn’t help, close the SQL Studio Manager session and you should be prompted with a warning about uncommitted transactions. Select Yes to commit then reopen and start the query again.

If for any reason the query is not properly closed there may be locks held on the SQL database that will prevent the normal WSUS service functioning resulting in failure of service.

Source :

10 Best Firewalls for Small & Medium Business Networks in 2023


Small and medium-sized businesses (SMBs) are increasingly becoming targets for cyber attacks. According to Verizon, about 61 percent of SMBs reported at least one cyber attack in 2021. Worse, Joe Galvin, chief research officer at Vistage, reported that about 60 percent of small businesses fold within six months of a cyber attack.

To protect your network from potential threats, you need a reliable and effective firewall solution. This tool will act as the first line of defense against unauthorized access and can help prevent malicious attacks from infiltrating a business’s network.

We reviewed the top SMB firewall solutions to help you determine the best one for your business.

Top SMB firewall software comparison

 Best forIPSContent filteringStarting price
Perimeter 81Best overallYesYes$8 per user per month, billed annually
pfSenseOpen sourceYesYes$0.01 per hour 
Comodo Free FirewallWindows PCsYesYesFree
ManageEngine Firewall AnalyzerLog, policy, and firewall configuration managementYesYes$395 per device
Fortinet FortiGateHybrid workforcesYesYesApprox. $335
SonicWall TZ400 Security FirewallAdvanced threat protectionYesYesApprox. $1,000–$1,500
Cisco Meraki MX68Small branches with up to 50 usersYesYesApprox $640
Sophos XGS SeriesRemote workersYesYesApprox. $520
Protectli Vault – 4 PortBuilding your own OPNsense or pfSense router and firewallYesYes$269 for FW4B – 4x 1G Port Intel J3160
OPNSenseFlexibilityYesYesFree, or $170.46/yr for business ed.

Jump to:

Perimeter81 icon

Perimeter 81

Best overall

Founded in 2018, Perimeter 81 is a cloud and network security company that provides organizations with a secure and unified platform for accessing and managing their applications and data.

It provides many security solutions, including firewall as a service (FWaaS), secure web gateway (SWG), zero trust network access (ZTNA), malware protection, software-defined perimeter, VPN-alternative and secure access service edge (SASE) capabilities, to ensure that data is secure and accessible to authorized personnel. It also provides centralized management and user access monitoring, enabling organizations to monitor and control user activity across the network.

Perimeter 81 provides granular access control policies that enable organizations to define and enforce access rules for their network resources based on the user’s identity, device type, and other contextual factors—making it easy for employees to access the company’s resources without compromising security.


Pricing plansMinimum usersCost per month, plus gateway costCost per year, plus gateway costCloud firewallAgentless application accessDevice posture check
Essential10$10 per user, plus $50 per month per gateway$8 per user, plus $40 per month per gatewayNo2 applicationsNo
Premium10$12 per user, plus $50 per month per gateway$15 per user, plus $40 per month per gateway10 policies10 applications3 profiles
Premium Plus20$16 per user, plus $50 per month per gateway$20 per user, plus $40 per month per gateway100 policies100 applications20 profiles
Enterprise50Custom quotesCustom quotesUnlimitedUnlimitedUnlimited


  • Identity-based access for devices and users.
  • Network segmentation.
  • OS and application-level security and mutual TLS encryption.
  • Enable traffic encryption enforcement, 2FA, Single Sign-On, DNS filtering, and authentication.


  • Provides visibility into the company network.
  • Allows employee access from on-premise.
  • Automatic Wi-Fi security.
  • 30-day money-back guarantee.


  • Low and mid-tiered plans lack phone support.
  • Limited support for Essential, Premium, and Premium Plus.
pfSense icon


Best open-source-driven firewall

pfSense is an open-source firewall/router network security solution based on FreeBSD. Featuring firewall, router, VPN, and DHCP servers, pfSense is a highly customizable tool that can be used in various network environments, from small home networks to large enterprise networks.

The tool supports multiple WAN connections, failover and load balancing, and traffic shaping, which can help optimize network performance. pfSense can be used on computers, network appliances, and embedded systems to provide a wide range of networking services.


pfSense pricing varies based on your chosen medium—cloud, software, or hardware appliances.

For pfSense cloud:

  • pfSense on AWS: Pricing starts from $0.01 per hour to $0.40 per hour.
  • pfSense on Azure: Pricing starts from $0.08 per hour to $0.24 per hour.

For pfSense software:

  • pfSense CE: Open source version available to download for free.
  • pfSense+ Home or Lab: Available at no cost for evaluation purposes only.
  • pfSense+ W/TAC LITE: Currently available at no charge, but vendor may increase rate to $129 per year in the future. 
  • pfSense+ W/TAC PRO: $399 per year.
  • pfSense+ W/TAC ENT: $799 per year.

For pfSense appliances:

pfSense+ appliancesDevice costBest forFirewall speed (IPERF3 TRAFFIC)Firewall speed
Netgate 1100$189Home607 Mbps(10k ACLs)191 Mbps(10k ACLs)
Netgate 2100$349Home
Home Pro
Branch/Small Business
964 Mbps(10k ACLs)249 Mbps(10k ACLs)
Netgate 4100$599Home Pro
Branch/Small Business
Medium Business
4.09 Gbps(10k ACLs)1.40 Gbps(10k ACLs)
Netgate 6100$799Home Pro
Branch/Small Business
Medium Business
9.93 Gbps(10k ACLs)2.73 Gbps(10k ACLs)
Netgate 8200$1,395Branch/Small Business
Medium Business
Large Business
18.55 Gbps5.1 Gbps
Netgate 1537$2,199Medium Business
Large Business
Data Center
18.62 Gbps(10k ACLs)10.24 Gbps(10k ACLs)
Netgate 1541$2,899Medium Business
Large Business
Data Center
18.64 Gbps(10k ACLs)12.30 Gbps(10k ACLs)


  • Stateful packet inspection (SPI).
  • IP/DNS-based filtering.
  • Captive portal guest network.
  • Time-based rules.
  • NAT mapping (inbound/outbound).


  • Anti-spoofing capability.
  • Connection limits option.
  • Community support.


  • The tool’s open-source version support is limited to community or forum. It lacks remote login support, private login support, a private support portal, email, telephone, and tickets.
  • Complex initial setup for inexperienced users.
Comodo icon

Comodo Free Firewall

Best for Windows PCs

Comodo Firewall is a free firewall software designed to protect computers from unauthorized access and malicious software by monitoring all incoming and outgoing network traffic. 

The firewall features packet filtering, intrusion detection and prevention, and application control. It also includes a “sandbox” feature that allows users to run potentially risky applications in a protected environment without risking damage to the underlying system. 

The software works seamlessly with other Comodo products, such as Comodo Antivirus and Comodo Internet Security.


Comodo is free to download and use. The vendor recommends adding its paid antivirus product (Comodo Internet Security Pro) to its firewall for added security. The antivirus costs $29.99 per year for one PC or $39.99 per year for three PCs. 


  • Auto sandbox technology.
  • Cloud-based behavior analysis. 
  • Cloud-based allowlisting. 
  • Supports all Windows OS versions since Windows XP (Note: Windows 11 support forthcoming).
  • Website filtering.
  • Virtual desktop.


  • Monitors in/out connections.
  • Learn user behavior to deliver personalized protection.
  • Real-time malware protection.


  • Lacks modern user interface.
  • Pop-up notifications—some users may find the frequent alerts generated by the software annoying and intrusive.
ManageEngine icon

ManageEngine Firewall Analyzer

Best for log, policy, and firewall configuration management

ManageEngine Firewall Analyzer is a web-based log analytics and configuration management software for firewall devices. 

It provides real-time visibility into network activity and helps organizations identify network threats, malicious traffic, and policy violations. It supports various firewalls, including Cisco ASA, Palo Alto, Juniper SRX, Check Point, SonicWall, and Fortinet. 

Firewall Analyzer helps monitor network security, analyze the security posture of the network, and ensure compliance with security policies. It also provides reports, dashboards, and automated alerting to ensure the network remains secure.


The amount you will pay for this tool depends on the edition you choose and the number of devices in your organization. 

You can download the enterprise edition’s 30-day free trial to test-run it and learn more about its capabilities. It’s available in two versions: Windows OS or Linux. You can also download it for mobile devices, including iPhone devices and Android phones or tablets.

  • Standard Edition: Starts at $395 per device, up to 60 devices.
  • Professional Edition: Starts at $595 per device, up to 60 devices.
  • Enterprise Edition: Starts at $8,395 for 20 devices, up to 1,200 devices.


  • Firewall rules report and firewall device audit report.
  • Regulatory compliance with standards such as ISO, PCI-DSS, NERC-CIP, SANS, and NIST.
  • Network behavioral anomaly alert.
  • Security reports for viruses, attacks, spam, denied hosts, and event summaries.
  • Historical configuration change tracking.
  • Bandwidth report for live bandwidth, traffic analyzer, URL monitor, and employee internet usage.
  • Compatible with over 70 firewall versions.


  • Excellent technical support.
  • Users praise its reporting capability.
  • In-depth auditing with aggregated database entries capability.
  • VPN and security events analysis.


  • Complex initial setup.
  • Users reported that the tool is occasionally slow.
Fortinet icon

Fortinet FortiGate

Best for hybrid workforces

Fortinet FortiGate is a network security platform that offers a broad range of security and networking services for enterprises of all sizes. It provides advanced threat protection, secure connectivity, and secure access control. It also provides advanced firewall protection, application control, and web filtering. 

Business owners can use Fortinet’s super-handy small business product selector to determine the best tool for their use cases. 

Small and mid-sized businesses may find the following FortiGate’s model suitable for their needs:

 IPSNGFWThreat ProtectionInterfacesSeries
FortiGate 80F1.4 Gbps1 Gbps900 MbpsMultiple GE RJ45 | Variants with PoE, DSL,3G4G, WiFi and/or storageFG-80F, FG-80F-PO, FG-80F-Bypass, FG-81F, FG-81F-PO, FG-80F-DSL, FWF-81F-2R-POE, FWF-81, F-2R-3G4G-POE, FWF-80F/81F-2R, and FWF-80F/81F-2R-3G4G-DSL
FortiGate 70F 1.4 Gbps1 Gbps800 MbpsMultiple GE RJ45 | Variants with internalstorageFG-70F and FG-71F
FortiGate 60F 1.4 Gbps1 Gbps700 MbpsMultiple GE RJ45 | Variants with internalstorage | WiFi variantsFG-60F, FG-61F, FWF-60F, and FWF-61F
FortiGate 40F 1 Gbps800 Mbps 600 MbpsMultiple GE RJ45 | WiFi variantsFG-40F, FG-40F-3G4G, FWF-40F, FWF-40F-3G4G

Fortinet FortiGate is compatible with several operating systems and can easily be integrated into existing networks. 


Unfortunately, Fortinet doesn’t publish their prices. Reseller prices start around $335 for the FortiGate 40F with no support. Contact Fortinet’s sales team for quotes.


  • Offers AI-powered security services, including web, content, and device security, plus advanced tools for SOC/NOC.
  • Continuous risk assessment. 
  • Threat protection capability.


  • Top-rated firewall by NSS Labs.
  • Intrusion prevention.


  • According to user reviews, the CLI is somewhat complex.
  • Complex initial setup.
SonicWall icon

SonicWall TZ400 Security Firewall

Best for advanced threat protection

The SonicWall TZ400 is a mid-range, enterprise-grade security firewall designed to protect small to midsize businesses. It supports up to 150,000 maximum connections, 6,000 new connections per second, and 7×1-Gbe. 

The TZ400 features 1.3 Gbps firewall inspection throughput, 1.2 Gbps application inspection throughput, 900 Mbps IPS throughput, 900 Mbps VPN throughput, and 600 Mbps threat prevention throughput. 


This product’s pricing is not available on the Sonicwall website. However, resellers such as CDW, Staples, and Office Depot typically sell it in the $1,000–$1,500 range. You can request a quote for your particular use case directly from Sonicwall.


  • Deep memory inspection.
  • Single-pane-of-glass management and reporting.
  • SSL/TLS decryption and inspection.
  • SD-WAN and zero-touch deployment capabilities.


  • Optional PoE and Wi-Fi options.
  • DDoS attack protection (UDP/ICMP/SYN flood).
  • Fast performance with gigabit and multi-gigabit Ethernet interfaces.
  • Protects against intrusion, malware, and ransomware.
  • High-performance IPS, VPN, and threat prevention throughput.
  • Efficient ​​firewall inspection and application inspection throughput.


  • Support can be improved.
  • It can be difficult to configure for inexperienced users.
Cisco icon

Cisco Meraki MX68

Best for small branches with up to 50 users

The Cisco Meraki MX68 is a security appliance designed for SMBs. It’s part of the Cisco Meraki MX series of cloud-managed security appliances that provide network security, content filtering, intrusion prevention, and application visibility and control.

The MX68 is equipped with advanced security features such as a stateful firewall, VPN, and intrusion prevention system (IPS) to protect your network from cyber attacks. The MX68 has a variety of ports and interfaces, including LAN and WAN ports and a USB port for 3G/4G failover. It also supports multiple WAN uplinks, providing redundancy and failover options to ensure your network remains online and available.


The Cisco Meraki MX68 pricing isn’t listed on the company’s website, but resellers typically list it starting around $640. You can request a demo, free trial, or quotes by contacting the Cisco sales team.


  • Centralized management via web-based dashboard or API.
  • Intrusion detection and prevention (IDS/IPS).
  • Next-generation layer 7 firewalls and content filtering.
  • SSL decryption/inspection, data loss prevention (DLP), and cloud access security broker (CASB).
  • Instant wired failover with added 3G/4G failover via a USB modem.


  • Remote browser isolation, granular app control, and SaaS tenant restrictions.
  • Support for native IPsec or Cisco AnyConnect remote client VPN.
  • Provides unified management for security, SD-WAN, Wi-Fi, switching, mobile device management (MDM), and internet of things (IoT)


  • The license cost is somewhat high.
  • Support can be improved.
Sophos icon

Sophos XGS Series

Best for remote workers

Sophos XGS Series Desktop is a range of network security appliances designed to provide comprehensive protection for SMBs. These appliances combine several security technologies, including firewall, intrusion prevention, VPN, web filtering, email filtering, and application control, to provide a robust and integrated security solution.

Here’s a comparison table of the Sophos XGS series firewalls:

 FirewallTLS inspectionIPSIPSEC VPNNGFWFirewall IMIXThreat protectionLatency (64 byte UDP)
XGS Desktop Models3,850 Mbps375 Mbps1,200 Mbps3,000 Mbps700 Mbps3,000 Mbps280 Mbps6 µs
XGS 107 / 107w7,000 Mbps420 Mbps1,500 Mbps4,000 Mbps1,050 Mbps3,750 Mbps370 Mbps6 µs
XGS 116 / 116w7,700 Mbps650 Mbps2,500 Mbps4,800 Mbps2,000 Mbps4,500 Mbps720 Mbps8 µs
126/126w10,500 Mbps800 Mbps3,250 Mbps5,500 Mbps2,500 Mbps5,250 Mbps900 Mbps8 µs
136/136w11,500 Mbps950 Mbps4,000 Mbps6,350 Mbps3,000 Mbps6,500 Mbps1,000 Mbps8 µs

The Sophos XGS Series Desktop appliances are available in several models with varying performance capabilities, ranging from entry-level models suitable for small offices to high-performance models suitable for large enterprises. They are designed to be easy to deploy and manage, with a user-friendly web interface and centralized management capabilities.


Sophos doesn’t advertise the pricing for their XGS Series Desktop appliances online, but they typically retail starting at about $520 from resellers. 

Potential customers are encouraged to request a free trial and pricing information by filling out a form on the “Get Pricing” page of their website.


  • Centralized management and reporting.
  • Wireless, SD-WAN, application aware routing, and traffic shaping capability.
  • SD-WAN orchestration.
  • Advanced web and zero-day threat protection.


  • Zero-touch deployment.
  • Lateral movement protection.
  • Users find the tool scalable.


  • Performance limitations.
  • Support can be improved.
Protectli icon

Protectli Vault – 4 Port

Best for building your own OPNsense or pfSense router and firewall

The Protectli Vault is a small form-factor network appliance designed to act as a firewall, router, or other network gateway. The 4-Port version has four gigabit Intel Ethernet NIC ports, making it ideal for SMB or home networks.

The device is powered by a low-power Intel processor and can run a variety of open-source firewall and router operating systems, such as pfSense, OPNsense, or Untangle. It comes with 8GB DDR3 RAM and up to 32GB DDR4 RAM. 

The Protectli Vault is designed to be fanless, silent, and compact, making it ideal for use in the home or office environments where noise and space may be an issue. It’s also designed to be energy-efficient, consuming only a few watts of power, which can save businesses considerable amounts of money on energy costs over time.


The amount you will pay for this tool depends on the model you select and your desired configuration. The rates below are starting prices; your actual rate may vary based on your configuration. Note that all these items ship free to U.S. addresses.

  • VP2410 – 4x 1G Port Intel J4125: Starts at $329.
  • VP2420 – 4x 2.5G Port Intel J6412: Starts at $379.
  • FW4B – 4x 1G Port Intel J3160: Starts at $269.
  • FW4C – 4x 2.5G Port Intel J3710: Starts at $289.


  • Solid-state and fanless tool.
  • Provides 2.5 GB ports unit.
  • AES-NI, VPN, and coreboot options.


  • A 30-day money-back guarantee.
  • Transparent pricing.
  • Coreboot support.
  • CPU supports AES-NI.


  • Steep learning curve.
OPNSense icon


Best for flexibility 

OPNsense is a free and open-source firewall and routing platform based on the FreeBSD OS. It was forked from the popular pfSense and m0n0wall project in 2014 and was officially released in January 2015.

OPNsense provides a modular design that allows users to easily add or remove functionality based on their needs. 

OPNsense is popular among IT professionals and network administrators who need a flexible and customizable firewall and routing platform that they can tailor to their specific needs. It’s also a good choice for small businesses and home users who want to improve their networks’ security without spending a lot of money on commercial solutions.


OPNSense is a free, open source tool. It is available in two editions: Community edition and business edition. You can download the community version at no cost. For the business version, a one-year subscription costs $170.46 per year.


  • High availability and hardware failover.
  • Intrusion detection and prevention.
  • Captive portal.
  • VPN (site-to-site and road warrior, IPsec, OpenVPN, and legacy PPTP support).
  • Built-in reporting and monitoring tools, including RRD Graphs.


  • Free, open source.
  • Traffic shaper.
  • Support for plugins.
  • Multi-language support, including English, Czech, Chinese, French, German, Italian, Japanese, Portuguese, Russian, and Spanish.


  • Reporting capability can be improved.
  • The interface can be improved.

Key features of SMB firewalls

Firewalls designed for SMBs share many of the same characteristics as their enterprise-grade cousins—such as firewall rule and policy configuration, content filtering, reporting and analytics—while placing additional emphasis on affordability and ease of use.

Firewall rules and policies

Administrators should be able to set up firewall rules and policies that control traffic flow and block or permit traffic based on various criteria, such as source/destination IP addresses, ports, and protocols. 

These rules and policies can be used to control the types of applications, services, and data that are allowed to traverse the network, as well as create restrictions on access. 

Firewall rules and policies are essential to the security of a network, as they provide the first line of defense against malicious attacks.

Content filtering

Content filtering is the process of blocking or restricting certain types of content from entering or leaving a network. It can be used to block websites, applications, or data that may contain malicious or unwanted content, such as malware, viruses, or pornographic material. 

Content filtering is typically implemented using a combination of hardware and software solutions. Hardware solutions, such as routers and switches, can be configured to block certain types of traffic or data or to restrict access to certain websites or applications. Software solutions, such as firewall rules and policies, can also be used to block or restrict certain types of content.

Reporting and analytics 

Reporting and analytics are essential for any business network, as they provide important insights into the health and security of the network. Firewall reporting and analytics features allow network administrators to identify trends, detect potential threats, and analyze the performance of the network over time.

Reporting and analytics can also be used to identify any areas of the network that may be vulnerable to attack, as well as identify any areas where the network may not be performing optimally.


For SMBs, affordability is a key factor when it comes to purchasing a firewall. SMB firewalls are typically more affordable than enterprise firewalls and can be purchased for as little as a few hundred dollars, so it is important to consider your budget when selecting a firewall.

Some SMB firewalls offer additional features for a fee, so consider what features are necessary for your network and the ones you can do without, as this will help you decide on the most cost-effective firewall solution. At the same time, be careful not to cut corners—your business’s data is too important to be insufficiently protected.

Ease of use and support

For SMBs, finding a firewall solution that is easy to use and has good support is essential. Firewalls should be easy to configure and manage so the network administrator can quickly and easily make changes as needed.

Additionally, good support should be available for any issues or questions that arise. This support should include an online knowledge base and access to technical support staff that can assist with any questions or problems, ideally 24/7.

How to choose the best SMB firewall software for your business

When shopping for the best SMB firewall software for your business, look for software that offers the features you need, easy installation and management, scalability to grow with your business, minimal impact on network performance, and an affordable price.

It’s also important to choose a vendor with a good reputation in the industry, backed up by positive reviews and customer feedback.

Frequently asked questions (FAQs)

What is an SMB firewall?

An SMB firewall is a type of network security device that is designed specifically for small and medium-sized businesses. It’s used to protect networks from unauthorized access, malicious attacks, and other security threats.

What features should I look for in an SMB firewall?

Above all you need a solution with a strong security profile. Look for specific security measures such as:

  • Intrusion prevention
  • Content filtering
  • Malware protection
  • Application control
  • Traffic shaper 

Other factors to consider include ease of management, scalability, and cost.

Do small businesses need a firewall?

Yes, small businesses need a firewall. It provides an essential layer of network security that helps protect against unauthorized access, malware, and other security threats. Without a firewall, small businesses are vulnerable to attacks that could compromise sensitive data, cause network downtime, and damage their reputation.

How much does a firewall cost for SMBs?

The cost of an SMB firewall can vary widely depending on the features, capabilities, and brand of the firewall. Generally, SMB firewalls can range in price from a few hundred to several thousand dollars.

How many firewalls do you need for a small business?

The number of firewalls needed for a small business will depend on the size and complexity of the network. In many cases, a single firewall may be sufficient to protect the entire network. However, in larger networks, it may be necessary to deploy multiple firewalls to provide adequate protection.

Factors such as network segmentation, geographic location, and compliance requirements may also influence the number of firewalls needed. It’s best to consult with a network security expert to determine the appropriate number of firewalls for your small business.


We analyzed dozens of SMB firewall software and narrowed down our list to the top ten. We gathered primary data—including pricing details, features, support, and more—from each tool provider’s website, as well as third-party reviews. We selected each software based on five key data points: security, ease of use, affordability, quality of service, and user satisfaction.

Bottom line: Choosing an SMB firewall

The solutions we evaluated are some of the best SMB firewalls currently available on the market. They are designed to provide SMBs with advanced security features, easy management, and scalability at affordable rates.

If your business is growing fast and you need an enterprise-grade network firewall solution, we also reviewed the best firewall software for enterprise networks.

Read our complete guide to designing and configuring a firewall policy for your organization, complete with a free, downloadable template.

Source :

7 Best Firewall Software Solutions: 2023 Firewall Comparison


In the fast-paced realm of cyberspace where threats continue to multiply, firewall software represents a critical line of defense for businesses of all sizes.

Such programs function as digital gatekeepers, regulating the flow of inbound and outbound network traffic according to a set of rules defined by the user.

With the continued rise of data breaches, investing in the best firewall software isn’t a mere consideration; it’s a necessity.

That’s why we researched, analyzed, and selected the best firewall software solutions for 2023:

Best firewall software comparison

Before delving into each firewall software’s in-depth review, let’s take a quick overview of what each product offers via a comparison chart:

Comprehensive security suiteScalabilityUser-friendly interfaceRobust featuresCloud-based managementOpen-sourceStarting price
Norton$49.99 for 5 devices for the first year
FortiGate$250/year for home office
GlassWireFree, or $2.99/month/license
Cisco Secure Firewall Management CenterContact Cisco
Sophos FirewallContact Sophos
ZoneAlarmFree, or $22.95/year for 1 PC

Jump to:

Norton icon


Best for a comprehensive security suite

Norton is a household name in cybersecurity that has long been delivering top-tier firewall software that signifies its wealth of experience in the sector.

The standout attribute of Norton is its comprehensive security suite, going beyond basic firewall protection to incorporate a smart firewall and intrusion prevention system (IPS), antivirus capabilities, identity theft protection, and even a VPN offering.

All that adds up to a holistic solution for businesses desiring a single-stop security software.


Norton’s Smart Firewall is included in Norton 360, whose pricing plans at the time of writing are:

  • Deluxe: $49.99 for the first year for 5 PCs, Macs, tablets, or phones.
  • Select + LifeLock: $99.99 for the first year for 10 PCs, Macs, tablets, or phones.
  • Advantage + LifeLock: $191.88 for the first year for 10 PCs, Macs, tablets, or phones.
  • Ultimate Plus + LifeLock: $299.88 for the first year for unlimited PCs, Macs, tablets, or phones.


  • Advanced smart firewall with customizable rules, allowing businesses to modify access based on their specific needs, thus providing a higher level of personalized security.
  • Integrated VPN for safe browsing ensures users can access the internet securely without worrying about potential threats or privacy breaches.
  • Identity theft protection is another vital feature, which helps safeguard sensitive personal and business data from potential hackers.
  • SafeCam feature prevents unauthorized access to your webcam, thwarting any potential spying or privacy intrusions.
  • Automatic updates ensure that your protection is always up-to-date, reinforcing defenses against new and evolving threats.


  • Norton offers a comprehensive security suite, providing a broad spectrum of protective measures beyond the typical firewall, creating a fortified line of defense against a myriad of cyber threats.
  • The interface is easy to navigate, making the process of setting up and managing the firewall less complex and more user-friendly, even for those with limited technical knowledge.
  • It provides 24/7 customer support, ensuring that you’ll have access to assistance whenever you need it, regardless of the hour or day.


  • While perfect for small to mid-sized businesses, Norton might not be as scalable for larger businesses with a vast network of devices, potentially limiting its effectiveness in such an environment.
  • Depending on your requirements, the subscription can become expensive with add-ons, which might be a drawback for businesses on a tight budget.
Fortinet icon


Best for scalability

Fortinet is a well-regarded player in the cybersecurity arena and its firewall software exemplifies its commitment to delivering high-quality solutions. FortiGate, Fortinet’s firewall offering, is recognized for its advanced firewall solutions that are scalable and robust.

Particularly useful for growing businesses, FortiGate brings forward top-notch features that can effortlessly adapt to the needs of expanding network infrastructures.


Fortinet offers a variety of solutions priced broadly to accommodate all business sizes—from $250 for home office to $300,000 for large enterprises. Contact Fortinet for accurate pricing information.


  • FortiGate offers an advanced firewall with extensive protection against incoming threats, thus maintaining the security of your network.
  • With scalability at its core, FortiGate can adapt and grow along with your business, addressing increasing security demands seamlessly.
  • Smooth integration with other Fortinet security solutions, enabling a comprehensive security ecosystem for your business.
  • FortiGate Cloud-Native Firewall offers high resiliency to ease security delivery across cloud networks and availability zones at scale.
  • Automatic updates keep the firewall current and equipped to deal with the latest threats, ensuring your network’s protection remains robust.


  • Fortinet’s robust firewall features deliver comprehensive security for your network, providing the necessary defenses to ward off potential threats.
  • With a strong focus on scalability, Fortinet is an ideal choice for rapidly growing businesses that need a security solution to match their expanding network.
  • The software’s high-performance nature means that it delivers robust security without hampering your network’s speed or efficiency.


  • Despite (or because of) offering a wealth of features, Fortinet’s interface may not be as user-friendly as some other options, potentially causing difficulties for those without substantial technical knowledge.
  • While Fortinet offers a range of pricing options, the cost can quickly escalate for larger networks or when additional features are included, which may not suit budget-conscious businesses.
  • Pricing information is not transparent and requires negotiation. Your mileage may vary.
GlassWire icon


Best for user-friendly interface

GlassWire is an elegant and visually appealing firewall software that provides comprehensive network monitoring capabilities.

It uniquely combines a network monitor and firewall, offering users a clear visual representation of their network activity. This functionality helps users to understand their online behavior and potential threats in a way that’s easy to interpret.


GlassWire offers a tiered pricing model:

  • Free: provides limited features, perfect for individual users or small businesses.
  • Premium: Starts at $2.99 per month per license, paid annually. Its premium tier plans suitable for business range between 10 and 200 licenses.


  • Real-time and detailed visualization of your current and past network activity, offering an intuitive and easy-to-understand representation of what’s happening on your network.
  • Built-in firewall that allows users to easily monitor applications using the network and block any suspicious activity, providing a comprehensive network security solution.
  • A unique “Incognito” mode for users who do not want certain network activities to appear on the network graph, ensuring user privacy.
  • Firewall profiles to instantly switch between different environments, such as public and private networks.
  • The network time machine feature allows users to go back in time up to 30 days to see what their computer or server was doing in the past.


  • GlassWire offers a beautifully designed, user-friendly interface that presents complex network security information in a visually appealing and understandable way.
  • Its comprehensive network monitoring capability allows users to understand their online behavior, identify patterns and detect anomalies.
  • The software’s built-in firewall offers users the flexibility to control which applications can access the network, enhancing the overall security of their systems.


  • The software requires a moderate amount of system resources to run efficiently, which might be an issue for systems with limited resources.
  • Although GlassWire’s visualizations are beautiful and informative, some users may find them overwhelming and would prefer a more traditional interface.
Cisco icon

Cisco Secure Firewall Management Center

Best for centralized management and control

The Cisco Secure Firewall Management Center provides a comprehensive solution for centralized control and management of security policies. It enhances the overall efficiency of network administration by offering a unified platform to manage multiple Cisco security appliances.

Businesses that use a variety of Cisco security tools will find this a valuable addition to streamline operations and enhance control.


Cisco Secure Firewall Management Center’s pricing depends on the scale of operations and the specific needs of a business. For detailed and customized pricing information, you can directly contact Cisco or its partners.


  • A unified management console that can control a wide range of Cisco security appliances, reducing the complexity associated with managing multiple devices.
  • Advanced threat detection and analysis capabilities, enabling administrators to swiftly identify and respond to security incidents.
  • Flexible deployment options, including on-premises, virtual and cloud-based solutions, catering to various operational needs and preferences.
  • Comprehensive policy management, allowing administrators to efficiently establish and enforce security policies across their Cisco security infrastructure.
  • Integration with other Cisco security tools, such as Cisco Threat Response, provides a cohesive and powerful security solution.


  • The ability to manage multiple Cisco security appliances from a single platform is a significant advantage, especially for larger enterprises managing complex security infrastructures.
  • Cisco Secure Firewall Management Center offers advanced threat detection and analysis capabilities, aiding in swift and efficient incident response.
  • Its flexible deployment options cater to diverse operational needs, providing convenience and ease of setup to businesses of all sizes.


  • Although powerful, the platform may require a steep learning curve, particularly for those who are new to Cisco’s ecosystem.
  • Some users have reported a desire for more customization options within the management interface to meet their specific operational needs.
  • Pricing information is not transparent and requires negotiation. Your mileage may vary.
pfSense icon

pfSense: Best open source solution

pfSense is an open-source firewall software solution that is highly customizable, suitable for tech-savvy businesses that prefer having the flexibility to tailor their firewall to specific needs. It’s built on the FreeBSD operating system, offering a comprehensive range of features for network management and security.


As an open-source platform, pfSense is free to download and use. However, Netgate, the company behind pfSense, offers paid support and services, including hardware solutions integrated with pfSense software.


  • A wide array of networking functionalities, including firewall, VPN, and routing services, ensuring comprehensive network protection.
  • Being open-source, it offers extensive customization options, allowing businesses to tailor the software to their specific needs.
  • Supports a large selection of third-party packages for additional features, granting more flexibility in expanding its capabilities.
  • Detailed network monitoring and reporting tools, allowing for granular insight into network traffic and potential security threats.
  • It has a community-backed development model, ensuring continuous improvements and updates to its features.


  • pfSense’s open-source nature allows for extensive customization, giving businesses control over how they want to configure their firewall.
  • The software provides a comprehensive set of features, ensuring thorough network protection and management.
  • Its support for third-party packages allows for the addition of further functionalities, enhancing its overall capabilities.


  • The configuration of pfSense can be quite complex, particularly for users without a strong technical background, which could pose a challenge for some businesses.
  • The user interface, while functional, may not be as polished or intuitive as some commercial firewall solutions.
  • As with many open-source projects, while there’s a supportive community, professional customer service might not be as accessible as with commercial solutions.
Sophos icon

Sophos Firewall

Best for cloud-based management

Sophos Firewall brings a fresh approach to the way you manage your firewall and how you can detect and respond to threats on your network.

Offering a user-friendly interface and robust features, this product provides businesses with an effective and efficient solution for their network security needs. It’s a versatile solution that not only offers traditional firewall capabilities but also integrates innovative technologies to ensure all-round security.


Sophos does not publicize pricing information, because their solutions are provided by resellers and can vary depending on the business’s size, needs, and location. You can contact them directly for accurate pricing information.


  • All-in-one solution by integrating advanced threat protection, IPS, VPN, and web filtering in a single comprehensive platform, thereby providing robust security for your network.
  • Deep learning technology and threat intelligence, both of which work in synergy to identify and respond to threats before they can cause damage, offering advanced protection against malware, exploits, and ransomware.
  • User-friendly interface that simplifies configuration and management tasks, making it easier for users to set up security policies and monitor network activities.
  • Synchronized Security technology that facilitates communication between your endpoint protection and your firewall, creating a coordinated defense against cyber threats.
  • The Sophos Firewall comes with an effective cloud management platform, allowing administrators to remotely manage the system, configure settings, and monitor network activity.


  • A user-friendly interface that simplifies the process of setting up and managing network security policies, making it suitable for businesses with limited technical expertise.
  • It integrates advanced protection capabilities, such as threat intelligence and deep learning technology, to provide robust defense against sophisticated cyber threats.
  • This firewall software’s unique Synchronized Security feature offers a coordinated and automated response against threats, enhancing the overall effectiveness of your network security.


  • Some users have reported that while the user interface is intuitive, it might take some time to navigate due to the depth of features available.
  • The initial setup and configuration might require technical expertise, although Sophos provides comprehensive resources and customer support to guide users.
  • Although Sophos’ site advertises “Simple Pricing,” their costs are not in fact transparent and will require negotiating a quote. Your mileage may vary.
ZoneAlarm icon


Best for personal use

ZoneAlarm is an excellent choice for personal use and small businesses due to its simplicity and effectiveness.

With a robust set of features and an intuitive interface, it provides robust protection without requiring extensive technical knowledge. Its reputation as a reliable firewall solution makes it an attractive choice for users seeking to safeguard their systems from various threats.


ZoneAlarm offers both free and premium versions of their firewall software. The free version provides basic protection, while the Pro Firewall version, which comes at a yearly subscription fee starting from $22.95 for 1 PC, offers advanced features such as zero-day attack protection and full technical support.


  • Robust two-way firewall protection, preventing unauthorized access to your network while also stopping malicious applications from sending out your data.
  • Advanced privacy protection feature that protects your personal information from phishing attacks.
  • Unique ID Lock feature that keeps your personal information safe.
  • ZoneAlarm boasts an Anti-Phishing Chrome Extension that detects and blocks phishing sites, protecting your information online.
  • The premium version offers advanced real-time antivirus protection, ensuring that your system is continuously protected from threats.


  • ZoneAlarm offers a straightforward interface and setup process, making it an ideal choice for users who lack advanced technical skills.
  • The software provides a comprehensive suite of features, including robust firewall protection, advanced privacy tools and real-time antivirus capabilities.
  • ZoneAlarm’s ID Lock feature is a standout, helping to ensure the security of personal data.


  • While ZoneAlarm offers robust features, its protection level may not be adequate for large enterprises or businesses with complex network architectures.
  • Some users have reported that the software can be resource-intensive, potentially slowing down system performance.

Key features of firewall software

When choosing the best firewall software for your business, there are key features you should consider. These range from the extent of the security suite to scalability and cloud-based management, all of which play a significant role in how effectively the software will serve your needs.

Comprehensive security suite

A comprehensive security suite is more than just a basic firewall. It includes additional layers of security like antivirus capabilities, identity theft protection, and a VPN.

The best firewall software solutions should deliver this kind of comprehensive coverage, protecting against a wide variety of threats and helping you maintain the security of your entire network. Norton, Cisco, and Sophos firewalls excel in this area.


Scalability is particularly important for businesses that are growing or plan to grow. As the size of your network increases, your security needs will change and become more complex.

Firewall software like FortiGate and pfSense are designed with scalability in mind, allowing them to adapt to the increasing security demands of your expanding network.

User-friendly interface

A user-friendly interface is crucial, especially for those who may not have a lot of technical expertise. Firewall software should be easy to navigate and manage, making the process of setting up and adjusting the firewall less daunting.

Norton excels in this area, with an intuitive interface that is straightforward to use. GlassWire, while not as intuitive, also offers an attractive and convenient interface.

Robust features

Having robust features in firewall software is key to ensuring comprehensive protection. This includes an advanced firewall with extensive customizable rules, IPS, and threat detection capabilities.

The most robust firewall solutions include Norton, FortiGate, Cisco, and Sophos, as well as pfSense, although you’ll have to do some legwork to program the latter in particular.

Cloud-based management

Cloud-based management is a significant advantage in today’s digital landscape. It allows for the remote configuration and monitoring of your firewall, making it easier to manage and adjust as needed. This feature is particularly beneficial for businesses with remote workers or multiple locations.

Norton, FortiGate, Cisco, Sophos, and ZoneAlarm all provide this capability.

Advanced firewall protection

Advanced firewall protection includes capabilities like deep packet inspection, which examines data packets to detect malware that could otherwise bypass standard firewalls. This kind of advanced protection is vital to secure your network from sophisticated threats. Most of the firewalls in this list offer advanced, next-generation capabilities.


Integration capabilities are crucial as they allow your firewall software to work in harmony with other security solutions you might have in place. Cisco firewalls, as you might expect, integrate seamlessly with other Cisco solutions, but can falter when trying to integrate with third-party solutions. On the other hand, thanks to its open-source nature, pfSense can be configured to integrate very broadly.

By considering these features when choosing your firewall software, you can ensure that you select a solution that meets the specific needs of your business, provides comprehensive protection and offers room for growth and adaptation as your business evolves.

Benefits of working with firewall software

Employing robust firewall software within your network infrastructure brings along a myriad of benefits that contribute to the overall security and efficiency of your business operations, from enhanced network security and data protection to reduced downtime and regulatory compliance.

Enhanced network security

Perhaps the most fundamental advantage of using firewall software is the enhanced network security it provides. Firewall software acts as the first line of defense against potential threats, including hackers, viruses, and other cyberattacks.

By monitoring and controlling incoming and outgoing network traffic based on predetermined security rules, firewall software ensures that only safe connections are established, thus protecting your network.

Data protection

With the increasing incidence of data breaches and cyber theft, data protection is more crucial than ever. Firewall software plays a pivotal role in safeguarding sensitive data from being accessed or stolen by unauthorized users.

By blocking unauthorized access, it ensures the safety of important information and reduces the risk of data breaches.

Traffic management

Firewall software is not only about protection but also about managing and optimizing the network traffic. Features like bandwidth management can be leveraged to allocate network resources effectively and ensure the smooth functioning of your online operations.

Real-time security updates

With the constantly evolving threat landscape, maintaining up-to-date security measures is vital. Firewall software frequently receives real-time security updates, which help to protect your network against the latest threats. This ensures that your network remains secure against even the most recent forms of cyberattacks.

Reduced downtime

Downtime can be a significant issue for any business, leading to financial losses and damage to reputation. By proactively identifying and preventing potential threats, firewall software can significantly reduce the risk of system outages, leading to increased uptime and reliability.


As your business grows, so does the complexity and the scope of your network. Scalable firewall software grows with your business, adjusting to the increased demands and providing consistent protection despite the expanding network size. This makes it a cost-effective solution that can support your business in the long term.

Regulatory compliance

Many industries have regulations in place requiring businesses to protect sensitive data. Firewall software helps meet these regulatory requirements by providing robust security measures that prevent data breaches and protect client and customer information.

Incorporating firewall software into your network infrastructure is a critical step towards securing your business in an increasingly digital world. The benefits it offers are invaluable, providing not just enhanced protection, but also efficiency and adaptability that can significantly contribute to your business’s success.

How to choose the best firewall software for your business

Choosing the best firewall software for your business involves a careful examination of your specific needs and security requirements. 

  • Size and security level: The size and nature of your business, the sensitivity of your data, and the extent of your network operations are crucial factors that determine what kind of firewall software will be the most beneficial.
  • Comprehensive features: Moreover, you should consider firewall solutions that offer a comprehensive suite of security features, such as VPN services, antivirus protection, and advanced threat detection capabilities.
  • Scalability: The scalability of a firewall software solution is important, particularly for growing businesses. Opt for software that can seamlessly adapt to the expanding needs of your network, providing reliable protection irrespective of your business size.
  • Interface: Unless you have a robust, well-trained IT department, the interface of your chosen software will need to be user-friendly and easily manageable, even for those with minimal technical expertise.
  • Cloud-based management: Features that allow for remote configuration and monitoring are highly beneficial in the current era of remote work. These features offer the flexibility of managing your network’s security from any location, improving overall efficiency.
  • Integration: Your chosen software should integrate smoothly with your existing security infrastructure to create a comprehensive, effective security system.
  • Support: Solid customer support from the vendor is also crucial to navigating any issues that may arise during setup or throughout the software’s lifespan.

Choosing firewall software is an investment in your business’s security, so take the time to evaluate each option thoroughly.

Frequently Asked Questions (FAQs)

Who should use firewall software?

Any individual, business, or organization that uses a network or the internet should consider using firewall software. Whether you’re a small business owner, a large corporation, or a home user, a firewall can provide essential protection against unauthorized access and various cyber threats.

Where are firewalls located on a network?

Firewalls are typically located at the edge of a network, serving as a barrier between a trusted internal network and an untrusted external network, such as the internet. They can also be positioned between different parts of an organization’s networks to control access.

Are there any downsides to using a firewall?

While firewalls are essential for network security, they can occasionally block legitimate traffic if the security settings are too restrictive. Additionally, managing and maintaining a firewall can require technical expertise. However, the benefits of using a firewall far outweigh these potential challenges.

How often should a firewall be updated?

Firewall software should be updated regularly to ensure it can protect against the latest threats. Many firewall providers release updates regularly and many firewalls are set to update automatically. However, it’s a good idea to check for updates manually periodically to ensure your firewall is up-to-date.

What is firewall software’s role in regulatory compliance?

For many businesses, especially those in regulated industries like healthcare or finance, firewall software plays a critical role in meeting compliance requirements. Regulations like the Health Insurance Portability and Accountability Act (HIPAA) or the General Data Protection Regulation (GDPR) require robust data protection measures, which includes network security provided by a firewall.

Can firewall software protect against all cyber threats?

While firewall software provides a strong layer of protection, it’s not a panacea for all cyber threats. Some sophisticated threats, like targeted phishing attacks or insider threats, require additional security measures. It’s essential to have a comprehensive security strategy in place that includes firewall software, antivirus software, strong access controls, and user education about safe online practices.


To deliver this list, we based our selection on an examination of firewall software features and overall reputation in addition to their ease of use, quality of customer support, and value for money.

This information is available in user reviews as well as official product pages and documentation. Nonetheless, we encourage you to conduct your own research and consider your unique requirements when choosing a firewall software solution.

Bottom line: Choosing the best firewall software for your business

The evolving threat landscape necessitates a robust and reliable firewall solution for both personal use and businesses of all sizes. Based on the products listed, it’s evident that several excellent options exist in the market, each with its own unique strengths and capabilities.

Choosing the best firewall software ultimately depends on your requirements, the nature of the network environment, and the budget at hand. It’s essential to consider each product’s features, pros, and cons, and align them with your individual or business needs.

The chosen solution should provide comprehensive protection, be user-friendly, and ideally offer scalability for future growth. Whether it’s for personal use or to protect a multilayered enterprise network, there’s a firewall solution out there that fits the bill.

Also see

Firewalls come in all shapes and sizes. Here’s a look at eight different types of firewalls.

We also did a review of the best firewalls for small and medium-sized businesses.

And once you’ve selected your firewall, make sure you define and implement a clear, strong firewall policy to back it up—as well as setting robust firewall rules to govern the software.

Source :

7 Best Firewall Solutions for Enterprises in 2023


Enterprise firewall software is an essential component of network security infrastructure for organizations. These firewalls are designed to provide high availability and scalability to meet the needs of large and complex networks because they can handle high traffic volumes and accommodate the growth of network infrastructure.

By exploring the following top firewall solutions, enterprises can make an informed decision to fortify their network defenses and safeguard critical assets from ever-evolving cyber threats.

Best firewall solutions for enterprises: Comparison chart

Best for DLP capabilityURL filteringReportingIntegration with third party solutionDNS filteringStarting price
Palo Alto NetworksOverallAvailable on request
Check Point QuantumConnected devicesAvailable on request
Fortinet FortiGateFlexibility and scalabilityAvailable on request
Juniper NetworksLogging and reporting capabilityAvailable on request
Cisco Secure FirewallCentralized managementAvailable on request
ZscalerBusinesses with cloud network infrastructure$72 per user per year
pfSenseOpen source$0.01 per hour

Jump to:

Palo Alto Networks icon

Palo Alto Networks

Best overall enterprise firewall

Palo Alto is a leading network security provider of advanced firewall solutions and a wide range of network security services.

The company offers various firewall solutions for various enterprise use cases, including cloud next generation firewalls, virtual machine series for public and private clouds, container series for Kubernetes and container engines like Docker, and its PA-series appliances designed for data centers, network edge, service providers, remote branches and retail locations, and harsh industrial sites.

These firewalls provide enhanced visibility, control, and threat prevention capabilities to protect networks from various cyber threats, including malware, viruses, intrusions, and advanced persistent threats (APTs).


Palo Alto doesn’t advertise its product pricing on its website. Our research found that the Palo Alto PA-series price range from $2,900 to $200,000 (more or less). To get the actual rates for your enterprise, contact the company’s sales team for custom quotes.

Standout features

  • Advanced threat prevention.
  • Advanced URL filtering.
  • Domain name service (DNS) security.
  • Medical IoT security.
  • Enterprise data loss prevention (DLP).
  • Up to 245 million IPv4 OR IPv6 sessions.


  • Provides visibility across IoT and other connected devices.
  • Provides visibility across ​​physical, virtualized, containerized and cloud environments.
  • Offers a variety of products for different business sizes, from small businesses to large enterprises.
  • Easy-to-navigate dashboard and management console.


  • Complex initial setup.
  • Some users reported that the Palo Alto license is pricey.
Check Point icon

Check Point Quantum

Best for connected devices

Check Point is an Israeli multinational company that develops and sells software and hardware products related to network, endpoint, cloud, and data security.

Check Point Quantum is designed to protect against advanced cyber threats, targeting Gen V cyber attacks. This solution encompasses various components to safeguard networks, cloud environments, data centers, IoT devices, and remote users.

Check Point’s SandBlast technology employs advanced threat intelligence, sandboxing, and real-time threat emulation to detect and prevent sophisticated attacks, including zero-day exploits, ransomware, and advanced persistent threats.


Check Point does not publicly post pricing information on its website. Data from resellers shows that Check Point products can range from around $62 for a basic solution to over $50,000 for an enterprise-level solution. Contact the Check Point sales team for your actual quotes.

Standout features

  • URL filtering.
  • DLP.
  • Full active-active redundancy.
  • Zero-trust protection for IoT devices.
  • Check Point Quantum protects against GenV attacks.
  • Advanced threat protection.


  • 24/7 customer service and support.
  • Easy to setup and use.
  • Management platform with automation features.
  • Sandblast protection for testing malware.


  • Users reported that the Check Point firewall is expensive.
  • Documentation can be improved.
Fortinet icon

Fortinet FortiGate

Best for flexibility and scalability

Fortinet offers various firewall products for different organization sizes, from home offices to large enterprises.

The FortiGate 7000 series (FG-7121F, FG-7081F, FG-7081F-2, FIM-7921F, FIM-7941F, and FPM-7620F) is an enterprise firewall product that provides high-performance network security. It is designed for organizations with high network traffic volumes and that have to manage large network infrastructures.

This firewall series is powered by a Security Processing Unit (SPU) of up to 520Gbps and also includes the latest NP7 (Network Processor 7) and CP9 (Content Processor 9).


Fortinet’s FortiGate firewall tool pricing is available upon request. Pricing will depend on various factors, including the size of the network, the number of users, and the types of security features needed. Contact a Fortinet representative for pricing and product information.

Standout features

  • Protects IT, IIoT, and OT devices against vulnerability and device-based attack tactics.
  • FortiGate 7000F series provides NGFW, segmentation, secure SD-WAN, and mobile security for 4G, 5G, and IoT.
  • Offers various types of firewalls, including container firewalls, virtual firewalls and hardware firewall appliances.
  • Zero Touch Integration with Fortinet’s Security Fabric Single Pane of Glass Management.


  • Integrations with over 500 third-party services.
  • AI-powered capabilities.
  • Users reported that the tool is user-friendly.


  • Support can be improved.
  • Its reporting feature can be improved.
Juniper Networks icon

Juniper Networks

Best for logging and reporting capability

Juniper Networks’ firewall helps enterprises protect their network edge, data center, and cloud applications.

The company is also known for its Junos operating system (OS), a scalable network OS that powers Juniper Networks devices. Junos provides advanced routing, switching, and security capabilities and allows for seamless integration with third-party software and applications.

Juniper Networks vSRX virtual firewall provides enhanced security for Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform, IBM Cloud, and Oracle Cloud environments, while its cSRX Container Firewall offers advanced security services to secure applications running in containers and microservices. The company’s SRX firewalls series is designed for various organization sizes, from small to large enterprises.


Juniper Network pricing is available on request. However, they offer different license methods, including Pay-As-You-Go (PAYG) and Bring-Your-Own-License (BYOL) options for public clouds. Contact the company’s sales team for custom quotes.

Standout features

  • Juniper Network has various types of firewalls, including container firewalls, virtual firewalls and hardware firewall appliances.
  • Public cloud workload protection, including AWS, Microsoft Azure, and Google Cloud Platform.
  • Logging and reporting capability.
  • Supports VMware ESXi, NSX, and KVM (Centos, Ubuntu).


  • Advanced threat prevention capability.
  • Deployable on-premises and cloud environments.


  • Support can be improved.
  • Users report that some Juniper Networks firewall products are expensive.
Cisco icon

Cisco Secure Firewall

Best for centralized management

Cisco Secure Firewall combines firewall capabilities with advanced security features to protect networks from various threats, including unauthorized access, malware, and data breaches.

Cisco Secure Firewall integrates with Cisco Talos, a threat intelligence research team. This collaboration enables the firewall to receive real-time threat intelligence updates, enhancing its ability to identify and block emerging threats.

Cisco Secure Firewall can be centrally managed through Cisco Firepower Management Center (FMC). This management console provides a unified interface for configuration, monitoring, and reporting, simplifying the administration of multiple firewalls across the network.


Contact Cisco’s sales team for custom quotes.

Standout features

  • IPS to protect against known threats.
  • Web filtering.
  • Network segmentation.
  • Centralized management.


  • Provides comprehensive visibility and control.
  • Efficient support team.
  • Highly scalable tool.


  • Support can be improved.
  • Complex initial setup.
Zscaler icon


Best for businesses with cloud network infrastructure

The Zscaler firewall provides cloud-based security for web and non-web traffic for all users and devices. Zscaler inspects all user traffic, including SSL encrypted traffic, with elastically scaling services to handle high volumes of long-lived connections.

One of the key advantages of Zscaler’s cloud-based approach is that it eliminates the need for on-premises hardware or software installations. Instead, organizations can leverage Zscaler’s infrastructure and services by redirecting their internet traffic to the Zscaler cloud. This makes scaling and managing security easier across distributed networks and remote users.


Zscaler doesn’t advertise its rates on its website. However, data from resellers shows that its pricing starts from about $72 per user per year. For your actual rate, contact the Zscaler sales team for quotes.

Standout features

  • Centralized policy management.
  • Fully-integrated security services.
  • Real-time granular control, logging, and visibility.
  • User-aware and app-aware threat protection.
  • Adaptive IPS security and control.
  • File transfer protocol (FTP) control and network address translation (NAT) support.


  • Easy to use and manage.
  • AI-powered cyberthreat and data protection services.
  • Always-on cloud intrusion prevention system (IPS).
  • AI-powered phishing and C2 detection.


  • Complex initial setup.
  • Documentation can be improved.
pfSense icon


Best open-source firewall

pfSense is an open-source firewall and routing platform based on FreeBSD, an open-source Unix-like OS. It is designed to provide advanced networking and security features for small and large networks.

pfSense can be deployed as a physical appliance or as a virtual machine. pfSense offers many capabilities, including firewalling, VPN connectivity, traffic shaping, load balancing, DNS and DHCP services, and more.


For pfSense cloud:

  • pfSense on AWS: Pricing starts from $0.01 per hour to $0.40 per hour.
  • pfSense on Azure: Pricing starts from $0.08 per hour to $0.24 per hour.

For pfSense software:

  • pfSense CE: Open source version available to download for free.
  • pfSense+ Home or Lab: Available at no cost for evaluation purposes only.
  • pfSense+ W/TAC LITE: Currently available at no charge, but the vendor may increase the rate to $129 per year in the future. 
  • pfSense+ W/TAC PRO: $399 per year.
  • pfSense+ W/TAC ENT: $799 per year.

pfSense offers three hardware appliances tailored to the needs of large enterprises.

  • Netgate 8200: Cost $1,395. It has 18.55 Gbps IPERF3 and 5.1 Gbps IMIX traffic speed.
  • Netgate 1537: Cost $2,199. It has 18.62 Gbps(10k ACLs) IPERF3 and 10.24 Gbps (10k ACLs) IMIX traffic speed.
  • Netgate 1541: Cost $2,899. It has 18.64 Gbps(10k ACLs) IPERF3 and 12.30 Gbps(10k ACLs) IMIX traffic speed.

Standout features

  • NAT mapping (inbound/outbound).
  • Captive portal guest network.
  • Stateful packet inspection (SPI).


  • Free open-source version.
  • Community support.
  • Anti-spoofing capability.


  • Steep learning curve for administrators with limited experience.
  • GUI is old-fashioned and could be simplified.

Key features of enterprise firewall software

There’s a wide variety of capabilities that enterprise firewall software can provide, but some of the key features to look for include packet filtering, stateful inspection, application awareness, logging and reporting capabilities, and integration with your existing security ecosystem.

Packet filtering

Firewall software examines incoming and outgoing network packets based on predefined rules and policies. It filters packets based on criteria such as source/destination IP addresses, ports, protocols, and packet attributes. This feature enables the firewall to block or allow network traffic based on the configured rules.

Stateful inspection

Enterprise firewalls employ stateful inspection to monitor network connections’ state and analyze traffic flow context. By maintaining information about the state of each connection, the firewall can make more informed decisions about which packets to allow or block.

Application awareness 

Modern firewall software often includes application awareness capabilities. It can identify specific applications or protocols within network traffic, allowing organizations to enforce granular policies based on the application or service used. This feature is handy for managing and securing web applications and controlling the use of specific services or applications.

Logging and reporting

Firewall software logs network events, including connection attempts, rule matches, and other security-related activities. Detailed logging enables organizations to analyze and investigate security incidents, track network usage, and ensure compliance with regulatory requirements. Reporting capabilities help generate comprehensive reports for auditing, security analysis, and compliance purposes.

Integration with the security ecosystem

Firewall software is typically part of a broader security ecosystem within an organization. Integration with other security tools and technologies, such as antivirus software, threat intelligence platforms, Security Information and Event Management (SIEM) systems, and network access control (NAC) solutions, allows for a more comprehensive and coordinated approach to network security.

Benefits of working with enterprise firewalls

Key advantages of enterprise firewall solutions include enhanced network security, threat mitigation, and access control, as well as traffic analytics data.

  • Network security: Firewalls act as a protective barrier against external threats such as unauthorized access attempts, malware, and other malicious activity. Enforcing access control policies and modifying network traffic helps prevent unauthorized access and protect critical data.
  • Threat mitigation: By combining intrusion prevention techniques, deep packet monitoring, and threat intelligence, a firewall can detect and block suspicious traffic, reducing the risk there that the network will be corrupted and damaged so
  • Access control: Firewall software allows administrators to restrict or allow access to network resources, applications, and services based on specific user roles, departments, or needs. This ensures that only authorized people or systems can access the screen and its accessories.
  • Traffic data and analytics: In addition to protecting your network, firewalls can also provide granular information about traffic and activity passing through your network, as well as its overall performance.

How do I choose the best enterprise firewall solution for my business?

When choosing the best enterprise firewall software for your business, consider the following factors.

  • Security: Assess your organization’s specific security needs and requirements.
  • Features: Evaluate the features and capabilities of firewall solutions, such as packet filtering, application awareness, intrusion prevention, VPN support, centralized management, and scalability. Consider the vendor’s reputation, expertise, and support services.
  • Compatibility: Ensure compatibility with your existing network infrastructure and other security tools.
  • Hands-on tests: Conduct a thorough evaluation of different firewall solutions through demos, trials, or proofs of concept to assess their performance, ease of use, and effectiveness in meeting your organization’s security goals.
  • Total cost of ownership (TCO): Consider the cost, licensing models, and ongoing support and maintenance requirements.

By considering these factors, you can make an informed decision and select the best enterprise firewall software that aligns with your business needs and provides robust network security.

Frequently Asked Questions (FAQ)

Is an enterprise firewall different from a normal firewall?

Although they share many characteristics, an enterprise firewall is not the same as a consumer-grade firewall. Enterprise firewalls are designed to meet large organizations’ security needs and network infrastructure challenges. They are robust, scalable, and can handle high network traffic volumes and sophisticated threats, compared to generic firewalls for home or small office environments.

What is the strongest type of firewall?

A firewall’s strength depends on various factors, and no universally dependable firewall exists. A firewall’s effectiveness depends on its materials, configuration, and how well it fits into the organization’s security needs. 

That said, next-generation firewalls (NGFWs) provide improved security capabilities and are often considered the ideal firewall solution in today’s enterprise. NGFWs combine traditional firewall features with additional functionality such as application awareness, intrusion prevention, deep packet monitoring, and user-based policies. They provide advanced protection against modern threats with greater visibility and control over network traffic.

How do you set up an enterprise firewall?

Setting up an enterprise firewall involves several steps:

  1. Determine your network topology.
  2. Define security policies.
  3. Plan firewall placement.
  4. Configure firewall rules.
  5. Implement VPN and remote access.
  6. Test and monitor firewall performance.
  7. Perform regular updates and maintenance.

We recommend engaging network security experts or reviewing vendor documentation and support materials for specific guidance in installing and configuring your enterprise firewall.


The firewall solutions mentioned in this guide were selected based on extensive research and industry analysis. Factors such as industry reputation, customer reviews, infrastructure, and customer support were considered.

We also assessed the features and capabilities of the firewall solutions, including packet filtering, application awareness, intrusion prevention, DLP, centralized management, scalability, and integration with other security tools.

Also see

If you’re not sure one of the firewalls included here is right for your business, we also determined the best firewalls for SMBs, as well as the best software-based firewalls.

And once your firewall is in place, don’t neglect its maintenance. Here are the best firewall audit tools to keep an eye on its performance.

Source :

A Step-by-Step Guide to Export Office 365 Mailbox to PST

April 26, 2023 Thiraviam

As an organization admin, you may encounter situations such as users leaving their position or migrating to another mail service, etc. In such circumstances, you need to export Office 365 mailbox to PST and store them offline for investigation purposes. You can accomplish this in Office 365 without depending on any external third-party tools. You can export individual mailboxes or entire exchange mailboxes as an eDiscovery admin through the Microsoft Purview compliance portal. 

This guide will walk you through the steps to export Office 365 mailboxes to PST format using eDiscovery and PowerShell.  

Why Do We Need to Export Exchange Online Mailbox to PST?

PST stands for Personal Storage Table file format used by Microsoft Outlook to store email messages, contacts and calendar entries. When you back up your email mailbox to a PST file, that will be saved on your computer. 

Here are some reasons why PST files are commonly used for exporting Office 365 mailbox data: 

Compatibility: PST files can be opened and accessed by a variety of email clients, including Outlook and some third-party email clients. This makes it easy to share data with others or to access your data from different devices. 

Portability: PST files are small in size and can be easily transferred to a different location, such as a hard drive, USB drive, or cloud storage. This makes it easy to create backups of your mailbox data or to move your data to a different computer. 

Offline Access: PST files can be accessed even when you are not connected to the internet, making it easy to access your email messages and other data when you are on the go. 

Organization: PST files allow you to organize your email messages, contacts, and other data into folders, making it easy to find and retrieve specific items. 

Steps to Export Office 365 Mailbox to PST

As an Office 365 admin you can get the Exchange Online mailboxes and their details by exporting them to PST with eDiscovery admin permission. You need to follow the steps listed below. 

  1. Assign eDiscovery administrator 
  2. Content search to export Office 365 mailbox 
  3. Export Office 365 mailbox to PST 
  4. Download exported PST file from Office 365 mailbox

Assign eDiscovery Administrator 

To export Office 365 mailboxes, you must be an eDiscovery Administrator. By default, this role is not assigned to a global administrator. Follow the steps to assign user(s) to eDiscovery admin role.  

  1. Login to the Microsoft Purview compliance portal with your global administrator account. 
  2. Navigate to ‘Roles & Scopes’ tab and select ‘Permissions’ option. 
  3. Select ‘Roles’ under ‘Microsoft Purview Solutions’ category.                                                                                                                                                                                                                  Assign Permissions eDiscovery Admin
  4. Click on ‘eDiscovery Manager’ role and select ‘Edit’ option in the popup window.                                                                                                 eDiscovery Role Management
  5. Navigate to ‘Manage eDiscovery Administrator’ page by clicking on ‘Next’ button.                                                                                               Manage eDiscovery Manager
  6. Select ‘Choose users’ and select the user(s) who you want to make as eDiscovery admin. Then click on the ‘Select’ button in the popup and select ‘Next’ button.                                                                                                                                                                                           Manage eDiscovery Administrator
  7. Finally, click ‘Save’ on the ‘Review and finish’ page.                                                                                                                                                     eDiscovery Admin Review and Finish Page

In Office 365, before exporting a mailbox, it’s necessary to perform a content search that collects all the mail of the specified user(s) or all the contents of a mailbox. Once you complete the search, you can use the Export option to export the results to a PST file.

Note: An informational alert will trigger, and you will receive mail when an eDiscovery search started or exported. 

  1. Login to the Microsoft Purview compliance portal with the user account with which you have assigned an eDiscovery Administrator role.  
  2. Go to ‘Content search’ tab in the solutions menu and click on ‘New Search’ option.                                                                                      Content Search to Export Office365 Mailbox to PST
  3. Type the preferred name and description in the ‘Name and description’ page and click on ‘Next’.
  4. Turn ‘Exchange mailboxes’ on and click on ‘Choose users, groups, or Teams’ to select the users from the list.                                                                                                                                                                                                       Choose Users, Groups, or Teams for Content Search
  5. Select the required users whose mailbox is to be exported or leave this option to export all user’s mailboxes and click on the ‘Next’ button. 
  6. Leave the conditions empty if you want to export the complete mailbox and click on ‘Next’. You can also define your conditions if you want filtered results.   
  7. Check the details in ‘Review your search’ page and click on ‘Submit’. 
  8. A message ‘New search created. Soon you will be able to review estimates and preview results for your search’ will show in the portal.
  9. Click on ‘Done’ and wait for the status to change to ‘Completed’ in the content search page.                                                                                                                                                                                                                                                                                             Content Search Status

Note: The waiting time may differ with respect to the size of the mailboxes you have performed a content search. 

You can also perform Content search using the PowerShell with ‘New-ComplianceSearch cmdlet. First, connect to the compliance center ‘Connect-IPPSSession‘ cmdlet. 


Now run the cmdlet below by providing the name for the content search and Exchange location that you want to do content search. 

New-ComplianceSearch <SearchName> -ExchangeLocation <UPN>| Start-ComplianceSearch

Export Office 365 Mailbox to PST 

Once you have successfully created a mailbox content search, the next step is to export the search results. To do this, simply follow the steps below, which will guide you through the process.  

  1. Click on the content search ‘Mailbox Export’ that you have created in the previous steps. 
  2. Select ‘Actions’ and choose ‘Export results’.                                                                                                                                                                               Export Office 365 Mailbox to PST
  3. Select the appropriate ‘Output options’ and the ‘Export Exchange Content as’ options. Then click on ‘Export’. If you are not sure about the options, leave it as default.                                                                                                                                                                        PST Export Results Options
  4.  A message box with a message “A job has been created” is displayed. Click on ‘OK’. It will take some time to complete the export. 

You can also perform export using the PowerShell with ‘New-ComplianceSearchAction cmdlet. 

Run the below cmdlet with the content search name to export the mailbox. 

New-ComplianceSearchAction <SearchName> -Export -Format Fxstream
Content Search Using PowerShell

 You can also get the properties related to the export by using the following cmdlet. 

Get-ComplianceSearchAction "<SearchName>_export" -IncludeCredential | FL 

Download Exported PST File From Office 365 Mailbox  

With the help of Microsoft Office 365 eDiscovery Export Tool, you can download the exported mailbox results as a PST file. 

Note:  It’s important to note that this can only be done using the Microsoft Edge browser.

  1. Make sure that the status of the export is completed by clicking on the export job name in the ‘Export’ tab.                                                                                                                                                                                                                                                                  Mailbox Export Status Check
  2. Copy the ‘Export key’ by clicking on the ‘Copy to clipboard’ option and click on the ‘Download results’ option.                                                                                                                                                                                                                                                         Download Exported Results
  3. If this is the first time you are downloading a .pst file, you are prompted to install Microsoft Office 365 eDiscovery Export Tool. If you have already installed, skip this step and go to the next step. 
  4. Click ‘Open’ button in the upcoming popup and paste the export key.                                                                                                                    Permission to Open the Exported PST File
  5. Select the required location to store the download file by clicking on the ‘Browse’ button and click ‘Start’.                                                                                                                                                                                                                                                                                                  eDiscovery Export Tool
  6. You can be able to see the “Processing has completed” message after the download. Go to the specified location in your PC to view the downloaded PST file(s).                                                                                                                                                                                       Download Exported PST file from Office 365 Mailbox 

Office 365 Export PST File Size Limit 

When exporting PST files, the default file size limit is 10 GB. However, you have the ability to change this limit depending on your specific needs by increasing or decreasing the file size. Additionally, if the exported mailbox exceeds the PST size limit, the tool will automatically split the PST file into sequentially numbered files to accommodate the larger size.  

The main reason to do this is so PST files can fit on removable media, such a DVD, a compact disc, or a USB drive. You can adhere to the following steps to change the PST export file size limit. 

  • Before proceeding, make sure to check whether the eDiscovery Export tool is open, and if so, be sure to close it before continuing.
  • Type the following text in a notepad and save the following text to a filename suffix of .reg. For example, Pst.reg.   
Windows Registry Editor Version 5.00 

In the example above, the PstSizeLimitInBytes value is set to 1,073,741,824 bytes or approximately 1 GB. However, if you need to change this limit, you can easily do so by replacing the existing value with your desired limit in bytes.

  • Once you have created the .reg file by following the previous steps, it’s time to open it and proceed with the next steps.
  • In the User Access Control window, choose ‘Yes’ to grant permission to the Registry Editor to make the change. 
  • When asked to confirm, select ‘Yes’.                                                                                                                                                                               
Registry entry

The Registry editor will then display a confirmation message indicating that the “keys and values was successfully added to the registry”. 

Limitations in Exporting PST File in Office 365 

When exporting an Office 365 mailbox to a PST file, it is important to be aware of the limitations involved. Here is a list of the limitations you may encounter during the export process.

  • Browser Restrictions: You need to use Microsoft Edge browser. It’s not possible to export mailboxes to PST using other browsers without any extensions. 
  • File Corruption Issues: Increasing the default size of PST files larger than 10 GB might have corruption issues. 
  • Mailbox count limitation: You cannot download more than 100,000 mailboxes for search results using the eDiscovery Export Tool. 
  • Export Data Size Constraint: An organization can export 2TB data per day through content search. 
  • Output Display Restriction: Only 1,000 exports or reports will be displayed in Content search. 

Thus, exporting Office 365 mailbox to PST is a simple process that can be done in a few clicks. You can have a clear understanding of how to complete this task efficiently by following the above steps. Feel free to leave a comment below if you encounter any difficulties or need any assistance.

Source :