OVERKILL
$100 Site Donor 2021
Zyxel USG60 that just got decommissioned because of the stupid Zyxel backdoor that just happened. Zyxel with Cyren was at the boarder with Untangle or Sophos UTM in bridge. Now just Untangle on my Rangeley. Have you seen our used Untangle yet?
I'm familiar with it but don't use it. I'm curious why were you bridging the Sophos UTM or the Untangle solution rather than using one of them for NAT? Either would be far more capable than the Zyxel unit.
I use Cisco's Umbrella solution (IPS, AMP) in conjunction with CIRA's DNS filtering setup. Back when I was running an ISR for NAT I used an ASA 5505 in transparent mode then upgraded it to a 5506X also in transparent mode with the very cumbersome and extremely slow FirePOWER module. Eventually cut out the ISR and had the ASA doing NAT but it really was a bit of a pile, even though I really wanted to like it. I replaced it with another ISR, then went Sophos XG, then back to Cisco with an MX64, which is what I'm running presently.