Re: Fortinet vs. Palo Alto

[Tim Nance <nancet () SHANDS UFL EDU>]

Three years ago we brought a Palo Alto device into our network to test
it out.  It wasn't quite ready for primetime.  Misidentified traffic. 
Lacked a bit on the UI.  A year ago we brought them back in, and I
believe they are now fully baked.
 
We have now been running a Palo Alto firewall on our wide open
guest/patient wireless network for the past 10 months.  We have it
configured to block 2 web site categories, all unknown applications &
all peer to peer sharing applications.  Prior to its implementation we
were running a juniper firewall with web filtering subscription and were
responding to about 1 RIAA type of issue per week.  Since it went live
we have not had a single reported infringement issue.
 
About 6 months ago we replaced our web filtering solution for the
primary network with much larger Palo Alto, and continue to be impressed
with abilities.  The renewal costs for our previous web filtering 
solution were on par with a new Palo Alto with url and app filtering.  
We had to drop another 5k to get the threat monitoring (IDP)
functionality.    Then another one of our hospitals which was running
its own web filtering solution opted to utilize the Palo Alto.  This
saved us another $15,000 as the Palo Alto web filtering is a flat fee vs
a per user as are most other solutions.  We are currently pushing
traffic from 12 thousand hosts through it
 
The IDP functionality within the Palo Alto provided much more
meaningful data than the other system we were using and I have not had
any problems with stateful firewalling capabilities.   We are
tentatively planning on purchasing 2 - 4 more 10 gig Palo Alto boxes.
 
We just finished participating in beta testing the new Palo Alto
firewalls which will be announced next week.  We placed it at the
boundary between us and main campus and fed it traffic from our entire
organization ~25,000 hosts.  We performed deep packet inspection all
traffic on the 10gig interfaces.  I was extremely impressed with their
performance and upgraded user interface.     Due to NDA can't such much
more about it.  
 
I tested a Fortinet device a few months ago.  They have a lot of
promise, but there promise of UTM is not there yet.  I am still planning
on buying a couple of dozen of their low end devices as an in-line
control point for some of our FDA regulated devices.
 
I saw Fortinet's  new gear at RSA last week and it looked impressive.
The capabilities they are claiming sound even more so.  Though I found
it very telling when I spoke to the Sonicwall engineer at the show, and
he told me don't trust the Fortinet numbers and then went on to praise
the Palo Alto boxes.
 
--tim
 
 
 
 
 
Timothy M. Nance 
CISSP, CISA, MCSA, ECSA
Information Security Analyst
University of Florida Academic Health Center
PO Box 100356
Gainesville, FL 32610-0356
265-8317 x 85285



> > > "Consolvo, Corbett D" <cc72 () TXSTATE EDU> 2/25/2011 9:21 AM >>>

Folks,
  We*re doing some firewall evaluations and was wondering if anyone has
any input on Fortinet vs. Palo Alto.  We*re looking at them for multi-Gb
installations (perimeter, data center, possibly dorms) and my impression
is that Palo Alto is more polished but Fortinet looks to be less
expensive as well as providing some features (such as vulnerability
assessment and chassis versions) that Palo Alto doesn*t.  Any feedback
(especially real-world experience) on either or both products would
certainly be appreciated.
 
Thanks
Corbett Consolvo
Texas State University