Cool to see that you feel the same way as I just explained to my colleagues that filtering should be handled on the endpoint and not in the firewall. This a couple of months ago.

I already have a good 8 places to post this to off the top of my head, and I assure you I will send many more people over to this video as the time goes by. Thanks!

Excellent content here Tom. I think this should answer a lot of the questions you get on the forums and on the vlog. Thanks again

I have been having a nightmare with filtering in an environment where management wants everything blocked and select sites accessible. In my case, it involves a Fortigate, which, once you install its CA to the endpoints, is quite good about it. Issues remain surrounding certificates that span wanted and unwanted services though, with Google's one for itself and KZbin being a prime example. Besides that, opening a site up leaves the issue of inaccessible dependencies like scripts, etc, that need to load from other sites, including CDNs. So the end user may have access to the site, but everything is broken until one inspects and discovers all the other sites the browser needs to load from for it to work (there may be a better way, but I'm yet to find it). This gets especially bad when different pages have different dependencies. To top it all off, opening access to CDNs for some dependencies gives the headache of unwanted sites, etc, on the CDNs, also becoming accessible when they shouldn't be... it's nuts and I hate it.

HTTP/3 that is based on QUIC, is supported for DPI inspection in v7.2 of FortiOS.

thank you tom for this vidoe, I just wanna say thank you for all your great content over the years, It has taught me alot over the last 3 years I just wanna say thank you going for my JNCIP-SP this week, I just wanna say thank you for all your great content, not the smartest dude but your vidoes are fun to watch and easy to work along side with you and build out from there, I build my first every truenas system because of your vidoes on True Nas just though I would say thank you for the years of great content and can't wait for many more years of content from you.

So far Arista does the best CF I have used yet!

This aligns with what I've been thinking as well when it comes to content filtering. We have been hesitant to implement decryption on our Palo Alto fw because of the challenge to maintain the certificate and deploy it and then needing to Manage and monitor the filtering from PAN-OS. I'm sure it's manageable with larger teams of people but we're a small team at my org so something like an endpoint solution seems like a better fit if that's a road we ever intend to travel.

Great information with a touch of granularity. I'll be checking out you're recommendations about those software solutions.

What would you suggest for schools and churches that want to offer an open guest network, but also want to block torrents and adult content on it? Putting certificates on devices is not an option so would the best approach be something like OpenDNS or Untangle?

So in my experience for small business and or the family home in my case, I have combining the speed of suricata/snort and Adam:One Dns pfsense plugin. It has been really effective in applying certain devices in the home or office with different policies that can be applied in terms of what websites could be visited. I havent seen it fail, but I most certainly havent implemented it in a commercial sense for any my clients. Imo the next step I am considering seeing I feel i have outgrown my pfsense was to shift to a palo vm, which I have managed to build on great compute specs and only forced to pay 4k for 3 years. I havent done it yet because, as I mentioned, its 4k, sigh. The certificate thing can be automated across most NG firewalls today in terms of renewal and even for deployment to endpoints. But not something I'd recommend, cus down time even at home, is NOT A HAPPY HOME. My home is my lab, don't do that, I warn most. What I am really looking out for in terms tech, is the emerging DDI and IPAM Saas products becoming more and more accessible in price to the midmarket and special interests groups such a hybrid dev houses and automated containerised services that are infra and cloud agnostic.

zscaler is an okay product that lives on the client device. I agree that client-based solutions are far more superior than something on the edge.

What are your thoughts about DNS security services like Cisco Umbrella? Managing some of these issues by controlling/filtering DNS inside the firewall is the only way we were able to cover these types of needs across Chromebooks, PC, Mac, iPads, iPhones, Android, etc., by controlling what the endpoint devices were able to lookup and connect to. pfSense restricts users to use our filtering DNS servers. No WFH users on these particular deployments, making it simpler to enforce.

Would be good if you would review Firewalla gold.

Hey Tom, thanks for all the great videos...i know how you feel about firewalls that's not open source but I think sophos xg does a very good job at this. And there's a free version...

Have you tried out cloudflares zero trust solution? Seems interesting to me because it has pretty granular control and its free for smaller customers

Neither Saaslio nor Zorus provides transparent pricing on their website.

Excellent video.

Just realized that untangle is part of Arista now.

Web filtering is most difficult to manage.

4:46 "but before we get into how we solve that solution.." hmm....

Filterd ,, stay safe

untangle has decent filtering for schools and such. looks like Arista owns Untangle.. wonder when that happened!@

Yeah, 2nd comment 😁. Hi Tom.

First

So .... no real solution that is free and open source?