A firewall is the control point between your network and everything outside it. Get the spec wrong — too small, wrong features, or a lapsed subscription — and you are either paying for hardware that bottlenecks your internet connection or running a box that stopped protecting you three months ago. This guide covers the decisions that matter.
Sizing to users and internet speed
Firewall throughput figures on datasheets are measured under ideal, often unrealistic conditions. The number that matters is UTM throughput (or “threat protection throughput”), not the headline stateful inspection figure.
| Office size | Internet service | Recommended UTM throughput |
|---|---|---|
| Up to 20 users | 100–250 Mbps NBN | 300–500 Mbps UTM |
| 20–75 users | 500 Mbps–1 Gbps NBN / fibre | 800 Mbps–1.5 Gbps UTM |
| 75–200 users | 1 Gbps+ fibre or multi-WAN | 1.5–3 Gbps UTM |
| 200+ users | Multi-WAN, SD-WAN, redundant links | Purpose-specified — request a quote |
UTM/inspection features routinely cut rated throughput by 50–70%. If the datasheet shows 2 Gbps firewall throughput and 600 Mbps UTM throughput, the 600 Mbps figure is what you plan around. Buy headroom — traffic grows, and you do not want to revisit hardware in 18 months.
UTM and NGFW features worth understanding
Intrusion Prevention System (IPS): inspects packet payloads and blocks known exploit patterns. Signature databases update continuously — this is why the subscription matters.
Gateway antivirus: scans files in transit (HTTP, FTP, email protocols) before they reach endpoints. Not a replacement for endpoint AV, but adds a catch layer before files land on desktops.
Content and web filtering: blocks categories of URLs (malware, phishing, adult, social media) and can enforce safe-search. Useful for policy enforcement and for blocking drive-by downloads.
Application control: identifies and controls applications regardless of port — Teams, Zoom, BitTorrent, and most SaaS tools are fingerprinted at the application layer, not just by port 443.
TLS/SSL inspection: decrypts and re-encrypts HTTPS traffic for scanning. Effective but processor-intensive — it has a larger throughput cost than other UTM features and requires certificate management. Decide early whether you need it.
VPN: site-to-site and remote access
Site-to-site VPN connects locations permanently — branch to HQ, office to a cloud VPC. Most business firewalls support IKEv2 IPsec; check interoperability if the far end is a different vendor.
Remote access VPN lets staff connect from home or travel. Look at concurrent tunnel limits on the licence tier you are buying — entry-level SKUs frequently cap at 10–25 simultaneous connections, which is a hard limit that fails silently when the 26th person tries to connect.
SSL VPN (browser-based or thin client) is the most common remote-access method for SMBs because it works through standard HTTPS without requiring firewall rules at the client end. IPsec-based remote access is faster and better for power users or large file transfers.
High availability
If your office cannot work without internet — EFTPOS, cloud ERP, VoIP, remote staff — a single firewall is a single point of failure. High availability (HA) pairs two identical appliances in active/passive mode. The secondary takes over within seconds of a primary failure, with no configuration drift because they sync state.
HA requires two identical units and typically two licences. Some vendors offer reduced-cost HA standby licences; verify this before quoting. HA is separate from WAN redundancy (failover to a second ISP or Starlink) — you can have both.
Vendor ecosystems
The major vendors at the SMB and mid-market level each have coherent ecosystems covering firewall, switches, and wireless. Fortinet, Sophos, WatchGuard, and Meraki are common in the Australian market. The right choice depends on what your IT team or MSP already manages, what integrates with your switches and APs, and the support model you need. We stock across vendors — ask for a comparison if you are starting fresh or replacing aging hardware.
The subscription trap: licences lapse and protection stops
This is the part most buyers underestimate. Business firewalls are not buy-once hardware. Security licences — covering IPS, gateway AV, content filtering, and application control — are annual subscriptions tied to the appliance serial number. Miss the renewal date and protection degrades immediately or within a short grace period. The appliance continues to pass traffic; it just stops blocking newly identified threats.
Renewal pricing is typically 15–25% of hardware cost per year. Over three years, the total licence cost often exceeds the hardware cost. Build this into your budget from day one.
Business IT Supply tracks licence and subscription expiry dates for appliances purchased through us. We contact you ahead of renewal so the decision is deliberate — not something you discover after a security incident or an audit. We can also check expiry status on appliances not purchased here if you bring an existing environment to us.
Pricing, stock, and next steps
All prices shown on our catalogue are GST-inclusive, with ex-GST displayed alongside. Stock status reflects what we have verified on hand; supplier ETA lines are labelled separately so you know what you are ordering. ACL cover for returns and warranty sits with us — not a grey-import arrangement where you are chasing an overseas vendor.
To get a firewall recommendation sized to your user count, internet speed, and feature requirements, browse the security range or use the quote request on the catalogue page.