The SonicWall PRO 2040 is easily the most powerful—and complex—of the units we tested. Our test unit had a capacity of 150 simultaneous VPN tunnels, 50-Mbps VPN capacity, and 50 internal devices, not to mention intricate controls over the VPN and security policies. The PRO 2040 needs experienced IT people to operate it, but in return it can manage the security needs of a fairly complex organization.

Key to the PRO 2040's architecture are zones, a security concept in the SonicOS operating system. The idea of zones is to give different levels of privileges to different internal users by varying their access to the different interfaces (X0, X1, and so on). Zones are another example of how the PRO 2040 is more powerful and complicated than the other products in this review. With just four interfaces, zones might be overkill. Still, they're a convenient way to manage security, and the planned growth of features in the product might make zones necessary at some point.

There is also very good control over NAT policies, through which the administrator can control address translation to a far greater degree than the usual one-to-many mapping capability. For instance, we could map one external address to one specific internal address, which is handy for keeping publicly accessible servers on the internal network. It's also possible to map many internal systems to a single WAN address, with uniqueness at the port level, and even many-to-many. And even better, these features can be used to define a wireless zone on an isolated port that requires IPsec.

The complexity of such features becomes manageable through the operating system's object-based management approach. Administrators can define objects for ranges of network addresses, users, groups, services and schedules, and apply policies to them. Policies, such as the NAT policies, are applied to these objects. Changes in the objects don't require changes in the policies.

Upgrades are available to the unit to enforce client-side antivirus use (with the McAfee client) and Web-content filtering. The device can be managed remotely by centralized IT or by managed service providers using SonicWall's Global Management System.

The PRO 2040 comes bundled with 10 VPN client licenses (it can support up to 100). The VPN itself has hardware-based IPsec acceleration, so it should be able to perform well up to the capacity of the WAN interface and still leave CPU capacity for administrative functions. The SonicWall VPN Client software is fairly easy to use. The server-side configuration is easier than some. A series of wizards (including a VPN wizard) that should make the whole process much simpler is coming in an upgrade to SonicOS.

The PRO 2040 will intimidate most people without a lot of IT savvy. But it's a very good choice for businesses who need support for more complex networks and have an eye toward scalability.