Thank you ede for responding and my apologies for taking so long to reply back. I don't mind the length at all. As can be seen, I'm looking for help in two areas. I need device selection assistance and I'll probably need some configuration assistance once I get the devices.
I thank your for the detail of your response. Similarly, I'll put a lot of detail in my post and ask everyone for suggestions, ideas, and general discussion. I'm hoping the length of this post doesn't put to many folks off but I'm trying to answer the questions of what we need. I'll try to organize the post in sections.
Fair warning, this is a long post. Even if you only have a part answer/suggestion to anything below, I'd appreciate hearing it. Who knows, this thread might be useful to someone else in the future.
I understand that some feel a reseller is the way to go but my experience is that a reseller usually just wants to push the hardware and be done with it. I have found that I have better luck selecting the reseller if I have a good idea up front of what the device can do. Of course, I'm open to suggestions of good resellers to consider (PMs are fine) and even persons willing to provide assistance on a paid basis (again PMs are fine) but it's important to me to understand what I can and can't do with the hardware. After all, I have to support it.
Who we are/What we do:
I am the owner of a very small business providing remote desktop services for small companies so they don't have to maintain any hardware or software. They simply subscribe to a desktop and I pretty much take care of the rest.
We use VPN tunnels between the customer's locations. The Cisco 2901 at the datacenter end is sufficient for the VPNs and does the NATs well, but it lacks many things that I'd like to have. Particularly, it's currently a single point of failure that I want to address as part of the replacement. I'd like to have two devices, either of which can provide connectivity should the other fail. I already have cross-connected switches inside of that, but I need a good firewall device that can be set up to utilize the datacenter's redundant connection capability ("HSRP/VRRP") and which does the VPN and NATs that we need.
For the customers' end, we utilize Ciscso ASA 5505 devices. These are mostly adequate but need to be refreshed as well. They also have a few limitations from the customer simplicity point of view. Frankly their DNS and DHCP functionality stinks. But the do handle the VPN and the NATs really well.
I understand from above that there are two basic areas. Basic device capabilities and capabilities augmented by subscriptions. I am open to the subscription model as threats evolve and to counter them I'll need the continual updates provided by subscription. Which subscriptions are suggested? I don't believe I'm ready for "Enterprise" level stuff, but I do need good threat protection. One of the areas that concerns me is VoIP. Because the phone system is in-house, we have a lot of ports opened to that device. Because the smart phone app that works with the in-house phone system reaches in from the outside, I can't restrict the incoming source address because the smartphones might be anywhere.
I need to be able to direct one Static IP to the phone system device. The NAT functionality needs to not mess up the VoiP traffic. From the Cisco ASA, I have to turn off the Inspect for the SIP traffic. I need equivalent functionality in the replacement devices.
I need to be able to gather data and information from the devices to see how they are performing. Preferably in the form of graphs. I'm not a Network Engineer by trade but I can do the 80% stuff without issue. What I don't have is time to do the intensive dig-in. I need the devices (or a package that works with the devices) to provide data on what's happening and what has happened. Both from a utilization viewpoint and from a diagnostics viewpoint. And, since I'm looking for UTM/NGFW type devices, I'd like to see good reporting on the threats encountered and what was done. I think I saw FortiAnalyser in the above response
OK, that's the basic features. On to selection:
Device Selection; Datacenter: Each customer has one VPN tunnel per office. Since we're small, that's currently about 15 but I'd like to be able to support about 100. The VPNs tend to be low traffic as they really only carry the print and scan traffic from the customer. The majority of the traffic comes from connections to specific ports reserved for each customer which are then "Routed" to the customers' server. This implies that the replacement device is capable of both the firewall aspect and a routing aspect along with the requisite NAT (P-Nat for CISCO). This device needs to have intrusion protection and the UTM/NGFW features that help protect the customer. I need a pair of them that can operate in a redundant manner.
So any suggestions on which device for the datacenter?
Device Selection; Customer:
Each customer office has one device which maintains a VPN tunnel to the server (for the print and scan traffic). Most of the access to the server is via protected protocols (https, secure rdp connections) and don't actually traverse via the VPN. The device needs to be able to do NAT and basic routing for the small office. It needs to be able to do DNS and DHCP server functionality because the small offices don't have any servers at all, they're just a collection of PC/Tablet units that use the internet. I need to be able to set up DHCP option records for things like timeclocks and VoIP systems and I need to be able to do device reservations (by MAC at a minimum).
So, any suggestions on which device for the customer end?
And, if you reached the end, I thank you. Even if you only have a part answer/suggestion to anything above, I'd appreciate hearing it. Who knows, this thread might be useful to someone else in the future.
Thanks and looking forward to your responses.