Proxmox Firewall as a Cisco ASA replacement ?

[galphanet]

Hello,

Today we have a cluster of ASA5540 behind the production network, which is composed of VM on proxmox hosts. All VM have public IP addresses.
We are in the process of retiring the Cisco ASA and we are evaluating others options available.
The ASA does IPv4/6 allow/deny, rate limiting and BCP38 enforcement, nothing fancy, no NAT, no IPsec.

Therefore I would like to know if we can consider the Proxmox firewall as a serious replacement ?
What would be your thoughts about that? Is there something we should think of before using it ?

Thanks for your input.

 

[dj_bobo]

Do you have the net skills to write your own iptables rules from top to bottom ?

Can you deploy a box between the world and your network and write your own rules ?

If so use Proxmox Firewall, it's just a wrapper for iptables

 

[galphanet]

Thanks for your reply.
I'd say the box is already here as iptables is running on the physical hosts.
That's not a problem to migrate all the rules, it will take some scripts writing skills but we can do it.

 

[guletz]

Maybe you can use some Mikrotik devices. This are cheap and similar like cisco. I used in a network with a Proxmox cluster and I am happy with them. I use for example traffic prioritisation (via DSCP) and ospf for my Proxmox cluster. But you can do it more. If you want to see how it is Mikrotik have also a virtualised image who can be used in Proxmox / kvm for free(cloud image router). Take a look and then decide if it is for your landscape/enviroment.