Skip to content
4
4UIT / OPS · OTTAWA Take a brief
Home/Solutions/Firewall Protection
// SOLUTIONS OTTAWA · ON FIREWALL PROTECTION

A firewall is a verb, not a box.

Buying a firewall takes an afternoon. Running it well takes years. We deploy, configure, patch, tune and watch yours so it actually does the job after month one.

Most "firewall problems" we inherit aren't broken firewalls. They're firewalls nobody's looked at since the day they were installed.

A modern next-generation firewall (NGFW) is a Linux server running 40+ services: deep packet inspection, intrusion prevention, web filtering, application control, VPN concentration, SD-WAN, sandboxing. Out of the box, almost none of these are tuned to your business. After 18 months of "small changes" by whoever was on call, the rule base looks like an attic.

4UIT is a Sophos Partner; we deploy Sophos XGS as our default firewall — same vendor as our endpoint and email stack, so XDR correlations actually work. For larger or specialised deployments we also work with Fortinet and SonicWall.

What "managed" actually means

Day 1: site survey, internet circuits assessed, replacement (or upgrade) hardware sized, VLANs designed for guest / staff / point-of-sale / IoT separation. We document the network the way you'd want it documented — not in a notebook on the IT person's desk.

Week 1: cutover at a quiet hour, configuration restored from version control (yes, your firewall config is under version control), firmware patched to current vendor recommendation. WAF/IPS in monitor mode for two weeks while we baseline normal traffic.

Month 1+: rules reviewed, anomalies investigated, monthly patching, quarterly rule audit, half-yearly disaster recovery test (yes, we restore your firewall config to a spare unit on a Saturday). When something changes — a new printer, a new SaaS tool, a new branch office — there's a ticket, a plan, and a record.

What you see

A monthly report: blocks by category, top sites, top users, IPS hits, VPN session summaries, firmware status, rule changes. A weekly health check (auto-emailed). A line-item log of every change we made and why. Logs retained for 1 year minimum, longer if your industry demands it.

SD-WAN & multi-site

If you have more than one location — clinic and satellite, head office and warehouse, downtown and Kanata — we set up SD-WAN routing so internet drops at one site auto-failover to the other. No "is the VPN down?" questions over Teams.

Common questions.

Do I need to replace my existing firewall?

Not usually. We assess what you have first. If it's still under vendor support and sized correctly, we adopt it. We replace when end-of-life is imminent, when the unit is undersized for your throughput, or when the rule base is unrecoverable.

How is this different from just buying a Sophos XGS and a 1-year support contract?

You can absolutely do that. Three years in, you'll have outdated firmware, drifted rules, expired licenses, no logs, and a unit nobody remembers the password for. Management is the part that matters.

What about home / remote workers?

Sophos XGS includes a free VPN client for full remote-access. We also support Sophos ZTNA for zero-trust access (more secure, no full tunnel). Setup is per-user, managed centrally.

How much downtime during cutover?

For a single-firewall replacement: 15–60 minutes, scheduled outside business hours. For HA pair installs: zero — we cut traffic to the new unit while the old one is still passing it, then fail back.

Can you work with my existing internet providers?

Yes. We're carrier-neutral. We've configured firewalls behind Bell, Rogers, Cogeco, Beanfield and TELUS Business circuits across the NCR.

Ready to make your IT boring?

20-minute call. No deck, no pressure. We listen, then propose.

Book a brief →