Re: Fortinet vs. Palo Alto

["Kellogg, Brian D." <bkellogg () SBU EDU>]

I know Sonicwall is not in the discussion here, but I would like to take this opportunity to advise against using them 
since they were mentioned below.  We have been burnt severely by their product and their support.  We sincerely regret 
our decision to move to Sonicwall; bar none the worst decision of my career.  The only remotely redeeming fact of our 
switch to Sonicwall is that we could afford two of them in a failover pair; trust me, the failover secondary unit is 
not an option when considering Sonicwall.  We disabled their UTM services as well due to issues.  I've been 
administering FWs for close to two decades and I have never had the problems in that time with FWs that I have seen 
from the Sonicwalls in two years.  I could go on and on, but my therapist says I need to let go and move on.

To be somewhat fair there have been some cases opened with their support where support has been good, but for the most 
part it is bad; especially so on off hours.


Rant over,
Brian

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tim Nance
Sent: Friday, February 25, 2011 2:28 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet vs. Palo Alto

Three years ago we brought a Palo Alto device into our network to test it out.  It wasn't quite ready for primetime.  
Misidentified traffic.  Lacked a bit on the UI.  A year ago we brought them back in, and I believe they are now fully 
baked.

We have now been running a Palo Alto firewall on our wide open guest/patient wireless network for the past 10 months.  
We have it configured to block 2 web site categories, all unknown applications & all peer to peer sharing applications. 
 Prior to its implementation we were running a juniper firewall with web filtering subscription and were responding to 
about 1 RIAA type of issue per week.  Since it went live we have not had a single reported infringement issue.

About 6 months ago we replaced our web filtering solution for the primary network with much larger Palo Alto, and 
continue to be impressed with abilities.  The renewal costs for our previous web filtering  solution were on par with a 
new Palo Alto with url and app filtering.   We had to drop another 5k to get the threat monitoring (IDP) functionality. 
   Then another one of our hospitals which was running its own web filtering solution opted to utilize the Palo Alto.  
This saved us another $15,000 as the Palo Alto web filtering is a flat fee vs a per user as are most other solutions.  
We are currently pushing traffic from 12 thousand hosts through it

The IDP functionality within the Palo Alto provided much more meaningful data than the other system we were using and I 
have not had any problems with stateful firewalling capabilities.   We are tentatively planning on purchasing 2 - 4 
more 10 gig Palo Alto boxes.

We just finished participating in beta testing the new Palo Alto firewalls which will be announced next week.  We 
placed it at the boundary between us and main campus and fed it traffic from our entire organization ~25,000 hosts.  We 
performed deep packet inspection all traffic on the 10gig interfaces.  I was extremely impressed with their performance 
and upgraded user interface.     Due to NDA can't such much more about it.

I tested a Fortinet device a few months ago.  They have a lot of promise, but there promise of UTM is not there yet.  I 
am still planning on buying a couple of dozen of their low end devices as an in-line control point for some of our FDA 
regulated devices.

I saw Fortinet's  new gear at RSA last week and it looked impressive. The capabilities they are claiming sound even 
more so.  Though I found it very telling when I spoke to the Sonicwall engineer at the show, and he told me don't trust 
the Fortinet numbers and then went on to praise the Palo Alto boxes.

--tim





Timothy M. Nance
CISSP, CISA, MCSA, ECSA
Information Security Analyst
University of Florida Academic Health Center
PO Box 100356
Gainesville, FL 32610-0356
265-8317 x 85285


> > > "Consolvo, Corbett D" <cc72 () TXSTATE EDU> 2/25/2011 9:21 AM >>>
Folks,
  We're doing some firewall evaluations and was wondering if anyone has any input on Fortinet vs. Palo Alto.  We're 
looking at them for multi-Gb installations (perimeter, data center, possibly dorms) and my impression is that Palo Alto 
is more polished but Fortinet looks to be less expensive as well as providing some features (such as vulnerability 
assessment and chassis versions) that Palo Alto doesn't.  Any feedback (especially real-world experience) on either or 
both products would certainly be appreciated.

Thanks
Corbett Consolvo
Texas State University