They are so often stateful and fall over when some scanner comes by, or if a light DNS DoS attack happens, compromising the entire access link, when the scanned systems or the DNS server weren’t even bothered by the amount of requests.
They introduce weird unexpected restrictions, like preferring to blackhole our customers traffic rather than accepting some asymmetric routing. And then we get blamed for their setup, which they don’t even know.
They ossify protocol development in general, requiring things like header encryption in QUIC to force them to ignore things that aren’t their business anyway.
They are apparently also expensive as hell, multiple customers have declined upgrades because they don’t have fast enough firewalls and not enough budget to buy faster ones.
Those are the ones that come to mind right now. There are also occasional bugs that make our or our customers lives difficult, but I can’t recall a clear one at the moment.
They are so often stateful and fall over when some scanner comes by, or if a light DNS DoS attack happens, compromising the entire access link, when the scanned systems or the DNS server weren’t even bothered by the amount of requests.
They introduce weird unexpected restrictions, like preferring to blackhole our customers traffic rather than accepting some asymmetric routing. And then we get blamed for their setup, which they don’t even know.
They ossify protocol development in general, requiring things like header encryption in QUIC to force them to ignore things that aren’t their business anyway.
They are apparently also expensive as hell, multiple customers have declined upgrades because they don’t have fast enough firewalls and not enough budget to buy faster ones.
Those are the ones that come to mind right now. There are also occasional bugs that make our or our customers lives difficult, but I can’t recall a clear one at the moment.