Re: Checkpoint Vs. Palo Alto Vs. Fortinet

[Nathaniel Hall <educause-lists () NATHANIELHALL COM>]

Hi Allan. I might be able to provide a little information for you on 
this topic. I want to be up front though, I work for a vendor who sells 
all three of these products. That said, I spent 6 years managing a Check 
Point infrastructure for a college, 18 months managing a Fortinet 
infrastructure for a power company, and another year managing Palo Alto 
in my own home. I've also been consulting on Check Point and Palo Alto 
for the last 18 months.

This is my own personal opinion and not that of my company. My favorite 
of the three is Palo Alto. They have some growing up to do, but I 
believe they are making great strides, especially in the newer versions. 
I often find that the system works with few issues. The only real issue 
I have had with the system is in respect to system load. Randomly my 
PA-200 will become very slow on the management side. The data side seems 
to continue just fine. I believe it is because I am running a lot of 
different features on such a small box. Under normal use, the system is 
great. Troubleshooting the system can occasionally be a pain, but it is 
nothing compared to Check Point.

On the other hand (and again, my personal opinion) Fortinet severely 
lacks. I have not tried the newer software, but I know on the 30+ 
devices I was using in the past, they were always overloaded even though 
the devices were rated for significantly more traffic than was passing 
through the system. We were always having firewall related issues of 
some sort or another. I have a brand new FortiWiFI 60C sitting on my 
desk waiting for testing, but I haven't gotten to it yet. Maybe it will 
change my mind.

As far as Check Point, they definitely have their place and once they 
are up and running they continue running. My biggest three issues with 
Check Point is with upgrades, feature changes, and troubleshooting. 
Upgrades are a serious pain in the rear. There are a lot of things that 
have to be manually upgraded or migrated to new hardware because the 
upgrade process doesn't do it for you. They will change how things work 
from version to version, which may cause issues. (AD replication 
negotiation immediately comes to mind). Lastly, troubleshooting is a big 
pain because traffic is processed in so many different ways that it 
becomes difficult to figure out. I was recently dealing with what should 
have been a simple fix, but it took Check Point themselves nearly 3 
months to figure it out. On the plus side, Check Point has a great 
management dashboard and is a good system for non-techies since they 
probably won't be doing their own troubleshooting anyway.

Those are just my opinions on each. All have their pros and cons though.

--
Nathaniel Hall
GSEC GCFW GCIA GCIH GCFA CNSE

On 11/1/2013 5:05 PM, Allan Nelson wrote:
> Hello:
>
> My institution is currently reviewing its firewall strategy with the 
> aim of upgrading/replacing our current firewall infrastructure. We are 
> currently a Checkpoint shop, with devices providing both Advanced 
> Networking and firewalling (UTM) capabilities.  We recently met with 
> reps from Palo Alto and Fortinet and on the surface they both seem to 
> provide viable, possibly even cheaper alternatives.   I just wanted to 
> hear from the group of any experiences with Palo Alto and/or Fortinet 
> to help us in our decision making.   We currently have a combination 
> of CP 9075s, 5075s and 576s deployed at our main and satellite campuses.
>
> Thanks
>
> Allan Nelson
>
> Manager, Security and Governance
>
> University of Trinidad and Tobago