My personal experience sysadminning firewalls has mostly been as end user protecting various low end systems connected to the net with DSL or frame relay.
To that end about three years ago I picked up the first Sonicwall and I have been very pleased with it. It was pricey then, but well worth every penny in being simple to configure (they would claim out of the box and configured in 15 minutes), while offering some sophisticated abilities: stateful inspection, vpn, dhcp, ppoe support, pinholing, and protection against DOS, spoofed ip addresses, and all sorts of other stuff. The sonicwall appears to offer much better protection and its been easier to administer than all those firewalls at the various companies I've worked for, where all the "professional IT sysadmins" can say is, "Can't do it, because of the firewall."
Hey, this firewall got me onto the CBS Evening news with Dan Rather! About two years ago, my sonicwall started telling me about more and more frequent attacks. As in lots of attacks, many times per day. I traced the attacks, and if the addresses weren't spoofed, they were coming from Korea, Iraq, Serbia, real cool right? I wrote off to some journalists and I said it was an example of how PacBell (and other ISPs most likely) wasn't educating their consumers (esp. their DSL consumers) about the dangers of putting a computer on the net. One or two small articles were written about the attacks I experienced and that was that.
Three weeks later, Yahoo, EBay, and CNN dropped off the net. So I got a six am phone call from some producer in New York wanting to interview me because according to LexisNexis, I was about the only person in the US who ever "firewall+internet+attack+DOS" or something like that. But I pretty much got the whole story wrong, because no one knew about the DSL zombies on the first or second days, so I said that my attacks were probably benign script kiddies. D'oh!
Hey it was cool, some independents drove out to my place, were here for about three hours, interviewed me for about thirty minutes, and then they showed about fifteen seconds of the interview, but they did include screen shots of my logs and traces showing attackers from Serbia, Iraq, and Korea trying to take me down! I was so dumb, I bet they would have shown more if I hadn't said that what I experienced was probably just kids. Dumb, dumb, dumb! I should have said, "oooh, scary hacker spies from communist satellites are out to get us all!" What was really neat was how my picture appeared in four or five completely different segments on CBS and local news for the next month. "Hey Carol, we need some canned video of geek in suit, in five minutes" "Okay, I got that right here" And for having shilled Sonicwall on the air, they sent me two XL sweatshirts!
That said, I don't know how their newer high end products stack up in ability or price to the competition. I would expect that Sonicwall has some excellent products, and I appreciate that three years after purchasing my first, they still support it with new firmware releases with bugs fixed, and new features added, but I just don't know what the competition is in the market of higher end web application level firewalls.
I look at that purchase of a $400 residential firewall as my hiring of all of sonicwall's network and security engineers. While I could have secured my system on my own, there is no way I could have done it as well, and protected the system from the various DOS attacks that the sonicwall supports for $400 of my own time, plus give me access to a technical support team that at the time could answer my questions or educate me as to other network issues.
There are a few reasons I still favor a separate firewall in front of a webserver. One, techsupport if they are any good can be very useful. Two, they are watching and constantly fixing the bugs in their firewall and enable me to let up on my scanning the various buglists looking for problems with say ipchains. Three is nice sweatshirts. Four, when it comes time to troubleshooting your system after the damn thing has gone live, the firewall is a completely independent node. I can test my system with the firewall in place, and I can tweak the rest of my system without having to worry that my firewall has been compromised or disabled by my own actions. That means that I can temporarily at least, install or configure vulnerable software and not have to worry about those vulnerabilities leading to cracks.
And should I suspect a firewall problem, it's very easy to test it in place, or swap it out for another black box when I need to. (I actually found that old AOLserver beta 3 servers could crash the Sonicwall as a very old version of ns_httpget sent out bad headers with LFs but not CRs and the Sonicwall wasn't tolerant of that.)
It's been a great sleep aid.