Re: Fortinet vs. Palo Alto

[Joe Guenther <JGuenther () OLDSCOLLEGE CA>]

Which model of Fortinet did you evaluate?

We have a set of 3016's in HA for our edge. They work very well, but we are not on a multigig external connection... 
and we do not use them to filter web site categories.  I am very happy with these firewalls on the network edge.

We also have a set of 3810's in HA with the new 4x10gig port ADM-XD4 modules as our server firewalls.  It was 
interesting as this project was designed using the older 2 port modules with the intent to push 10gig traffic over the 
backplane/central CPU, to then realize that the architecture of the FortiGate only allow 1gig or 4gig of traffic over 
the central CPU/backplane.  The only solution was to use the 4port ADM-XD4 modules and keep the traffic within the 
module. That was the only way to deal with multigig traffic. This works.  We do IPS, and Active Directory driven rules 
to segregate secure servers (financials & student information databases). We can do full 10gig throughput with them. 
Our traffic levels have not reached 10gig, but we do get multigig traffic throughput on a daily basis with no trouble 
at this point.
Apparently the newer 3900 series firewall have been re-architected.

I have found the support and especially the professional services from Fortinet to be excellent.  The only complaint 
along that line is that it takes Fortinet a long time to fix a bug in the VPN / Radius authentication. The current 
firmware build has not been released for the 3016's - and apparently that bug has been fixed in that release.  So they 
seem to struggle there.


Joe Guenther | Sr. Network Administrator | Olds College | 4500-50th Street | Olds, Alberta | T4H 1R6 | 403-507-7923 - 
Office | 403-559-8340 – cell

> -----Original Message-----
> From: Will Froning [mailto:will.froning () GMAIL COM]
> Sent: 25 February, 2011 10:32 PM
> Subject: Re: Fortinet vs. Palo Alto
>
> Hello Corbett,
>
> We evaluated Fortinet and Palo Alto two years ago to replace our EOL'd PIX.
> We ran a span port on our outbound traffic to the Fortinet and it died in
> less than 1 hour.
>
> We picked Palo Alto Networks. :) We had a couple of growing pains the first
> couple of months, but it has proven to be a great product with plenty of
> power.
>
> Here are a few things we haven't tested yet, but want to:
> * IPv6: The UAE NREN (Ankabut) is actively being rolled out as a dual-
> stack, so I suspect we will have a much better idea once the summer rolls
> in.
> * PBR: We are waiting for our second link from the only other ISP in UAE to
> test this out.
> * Traffic Shaping: We are still using our Exinda, but it would be nice to
> drop one more thing.
> * SSL Decryption: It works, but I'm concerned about AppID digging too deep
> and misidentifying the stuff being protected by SSL so we haven't rolled it
> out.
> * BGP with ZX SFPs: In theory we could drop our edge router and run our
> links directly into the PAN with ZX modules, but that's a little scary. I
> haven't heard of anyone trying this, but I haven't revisited this for over
> a year.
> * CnC detection: PAN is trying to move into the FireEye realm. Sounds nice,
> but I suspect it is based on reactive updates instead of the VM analysis
> FireEye performs. Not as good, but anything helps I suppose. This is new to
> PanOS 4.0.
>
> Annoyances:
> * AppID Updates: If you don't actively watch the announcements when new
> applications have been identified, you may wake up one day to find that
> SMTP traffic from the Ariel server is no longer going through (changed from
> application smtp to ariel).
> * No PPPoE: iPhones and other mobile devices are left out in the cold for
> VPN services (_might_ be in PanOS 4.0).
> * Not your Mom's firewall: It has been hard for some of the Cisco guys to
> grasp that PAN rules are based on Apps not just ports. It requires the
> networking team to have a better understanding of the services they are
> allowing through. It's "blackboard" and "webdav" not port 80.
>
> I'm available if you have other questions.
>
> Thanks,
> Will
>
> --
> Will Froning
> Unix SysAdmin
> Will.Froning () GMail com
> MSN: wfroning () angui sh
> YIM: will_froning
> AIM: willfroning
> On Friday, February 25, 2011 at 6:21 PM, Consolvo, Corbett D wrote:
> Folks,
> >  We’re doing some firewall evaluations and was wondering if anyone has
> any input on Fortinet vs. Palo Alto. We’re looking at them for multi-Gb
> installations (perimeter, data center, possibly dorms) and my impression is
> that Palo Alto is more polished but Fortinet looks to be less expensive as
> well as providing some features (such as vulnerability assessment and
> chassis versions) that Palo Alto doesn’t. Any feedback (especially real-
> world experience) on either or both products would certainly be
> appreciated.
> > Thanks
> > Corbett Consolvo
> > Texas State University