I've always been a fan of Checkpoint's firewall. It's not bad.

Definately place some sort of IDS/IPS on the interior side of your firewall (let the firewall do it's job, sniff what is getting through), Snort is definately the best one. www.snort.org/dl