Re: Fortinet vs. Palo Alto

[Will Froning <will.froning () GMAIL COM>]

Hello Corbett,

We evaluated Fortinet and Palo Alto two years ago to replace our EOL'd PIX. We ran a span port on our outbound traffic 
to the Fortinet and it died in less than 1 hour.

We picked Palo Alto Networks. :) We had a couple of growing pains the first couple of months, but it has proven to be a 
great product with plenty of power.

Here are a few things we haven't tested yet, but want to:
* IPv6: The UAE NREN (Ankabut) is actively being rolled out as a dual-stack, so I suspect we will have a much better 
idea once the summer rolls in.
* PBR: We are waiting for our second link from the only other ISP in UAE to test this out.
* Traffic Shaping: We are still using our Exinda, but it would be nice to drop one more thing.
* SSL Decryption: It works, but I'm concerned about AppID digging too deep and misidentifying the stuff being protected 
by SSL so we haven't rolled it out.
* BGP with ZX SFPs: In theory we could drop our edge router and run our links directly into the PAN with ZX modules, 
but that's a little scary. I haven't heard of anyone trying this, but I haven't revisited this for over a year.
* CnC detection: PAN is trying to move into the FireEye realm. Sounds nice, but I suspect it is based on reactive 
updates instead of the VM analysis FireEye performs. Not as good, but anything helps I suppose. This is new to PanOS 
4.0.

Annoyances:
* AppID Updates: If you don't actively watch the announcements when new applications have been identified, you may wake 
up one day to find that SMTP traffic from the Ariel server is no longer going through (changed from application smtp to 
ariel).
* No PPPoE: iPhones and other mobile devices are left out in the cold for VPN services (_might_ be in PanOS 4.0).
* Not your Mom's firewall: It has been hard for some of the Cisco guys to grasp that PAN rules are based on Apps not 
just ports. It requires the networking team to have a better understanding of the services they are allowing through. 
It's "blackboard" and "webdav" not port 80.

I'm available if you have other questions.

Thanks,
Will

--
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning 
On Friday, February 25, 2011 at 6:21 PM, Consolvo, Corbett D wrote:
Folks,
>  We’re doing some firewall evaluations and was wondering if anyone has any input on Fortinet vs. Palo Alto. We’re 
> looking at them for multi-Gb installations (perimeter, data center, possibly dorms) and my impression is that Palo 
> Alto is more polished but Fortinet looks to be less expensive as well as providing some features (such as 
> vulnerability assessment and chassis versions) that Palo Alto doesn’t. Any feedback (especially real-world 
> experience) on either or both products would certainly be appreciated.
>
> Thanks
> Corbett Consolvo
> Texas State University