Educause Security Discussion mailing list archives
Re: Fortinet vs. Palo Alto
From: Will Froning <will.froning () GMAIL COM>
Date: Sat, 26 Feb 2011 09:32:28 +0400
Hello Corbett, We evaluated Fortinet and Palo Alto two years ago to replace our EOL'd PIX. We ran a span port on our outbound traffic to the Fortinet and it died in less than 1 hour. We picked Palo Alto Networks. :) We had a couple of growing pains the first couple of months, but it has proven to be a great product with plenty of power. Here are a few things we haven't tested yet, but want to: * IPv6: The UAE NREN (Ankabut) is actively being rolled out as a dual-stack, so I suspect we will have a much better idea once the summer rolls in. * PBR: We are waiting for our second link from the only other ISP in UAE to test this out. * Traffic Shaping: We are still using our Exinda, but it would be nice to drop one more thing. * SSL Decryption: It works, but I'm concerned about AppID digging too deep and misidentifying the stuff being protected by SSL so we haven't rolled it out. * BGP with ZX SFPs: In theory we could drop our edge router and run our links directly into the PAN with ZX modules, but that's a little scary. I haven't heard of anyone trying this, but I haven't revisited this for over a year. * CnC detection: PAN is trying to move into the FireEye realm. Sounds nice, but I suspect it is based on reactive updates instead of the VM analysis FireEye performs. Not as good, but anything helps I suppose. This is new to PanOS 4.0. Annoyances: * AppID Updates: If you don't actively watch the announcements when new applications have been identified, you may wake up one day to find that SMTP traffic from the Ariel server is no longer going through (changed from application smtp to ariel). * No PPPoE: iPhones and other mobile devices are left out in the cold for VPN services (_might_ be in PanOS 4.0). * Not your Mom's firewall: It has been hard for some of the Cisco guys to grasp that PAN rules are based on Apps not just ports. It requires the networking team to have a better understanding of the services they are allowing through. It's "blackboard" and "webdav" not port 80. I'm available if you have other questions. Thanks, Will -- Will Froning Unix SysAdmin Will.Froning () GMail com MSN: wfroning () angui sh YIM: will_froning AIM: willfroning On Friday, February 25, 2011 at 6:21 PM, Consolvo, Corbett D wrote: Folks,
We’re doing some firewall evaluations and was wondering if anyone has any input on Fortinet vs. Palo Alto. We’re looking at them for multi-Gb installations (perimeter, data center, possibly dorms) and my impression is that Palo Alto is more polished but Fortinet looks to be less expensive as well as providing some features (such as vulnerability assessment and chassis versions) that Palo Alto doesn’t. Any feedback (especially real-world experience) on either or both products would certainly be appreciated. Thanks Corbett Consolvo Texas State University
Current thread:
- Re: Fortinet vs. Palo Alto, (continued)
- Re: Fortinet vs. Palo Alto Nathaniel Hall (Feb 25)
- Re: Fortinet vs. Palo Alto Kevin Wilcox (Feb 25)
- Re: Fortinet vs. Palo Alto Roderick Cook (Feb 25)
- Re: Fortinet vs. Palo Alto Basgen, Brian (Feb 25)
- Re: Fortinet vs. Palo Alto Tim Nance (Feb 25)
- Re: Fortinet vs. Palo Alto Kellogg, Brian D. (Feb 25)
- Re: Fortinet vs. Palo Alto Valdis Kletnieks (Feb 25)
- Re: Fortinet vs. Palo Alto John Ladwig (Feb 25)
- Re: Fortinet vs. Palo Alto Valdis Kletnieks (Feb 25)
- Re: Fortinet vs. Palo Alto John Ladwig (Feb 25)
- Re: Fortinet vs. Palo Alto Nathaniel Hall (Feb 25)
- Re: Fortinet vs. Palo Alto Will Froning (Mar 06)