Re: Next Generation Firewalls

[Brandon Dick <bdick () MURRAYSTATE EDU>]

For you all that went with Fortinet:

When we were doing our bid, we put in requirements that the Firewall be 
10GB capable and someone put in a bid for the Fortinet 1500D. According 
to the specs, the 1500D would put a Palo Alto 5050 to shame, but the 
cost difference wasn't even close, with Fortinet being the clear winner 
in price.  I kept digging into it with the reseller and requesting 
guarantees that this would actually perform as well as they said, and 
eventually the reseller pulled out of the bid.   So I never really got 
the full story on that one.

So my question is, how many of you think the 1500D would've actually 
handled 10GB of traffic?  I noticed in your comparison below, they chose 
the 3600C, which makes me think even more that the 1500D wouldn't have 
performed to spec.  It was just a really odd situation...

On 6/19/2015 2:45 PM, Kumar, Shashank wrote:
> Hello All,
>
> We recently went through a bake-off ourselves and evaluated the Palo Alto 5050s, Fortinet 3600C, ASA5585-SSP-20 and the 
> SRX 3600.
> PA and Fortinet impressed us the most with flexible deployment options (routed mode, transparent mode, tap mode, 
> virtual systems), good hardware specs and throughput, intuitive management consoles and good vendor interaction. 
> Positive feedback from universities that had deployed PA and Fortinet was reassuring.
>
> Our evaluation process involved hitting the test unit with constant 2Gig of traffic and measuring the throughput with 
> various features enabled.  We also planned for virtual systems and doubling our throughput within the next 3 years or 
> so.  Let me know if you would like to see the test template that we used.
>
> Hope this helps.
>
> Best Regards,
> Shashank
> FGCU Network Services |Tel: 239-590-7448
>
> Florida has a very broad public records law.  As a result, any written communication created or received by Florida 
> Gulf Coast University employees is subject to disclosure to the public and the media, upon request, unless otherwise 
> exempt.  Under Florida law, e-mail addresses are public records.  If you do not want your email address released in 
> response to a public records request, do not send electronic mail to this entity.  Instead, contact this office by 
> phone or in writing.
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gramke, 
> Jim
> Sent: Friday, June 19, 2015 2:12 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Next Generation Firewalls
>
> I've got to second the Fortigate recommendation.  We've had a High Availability pair of them for a number of iterations 
> now.   Recently PA made a push, and we looked, but just undoable because of cost and even performance differences.  Bang for 
> buck, Fortigate is a formidable competitor.
>
>
> -----Original Message-----
> From: Ferguson, Michael [mailto:mferguson () CHAPMAN EDU]
> Sent: Thursday, June 18, 2015 11:17
> Subject: Re: Next Generation Firewalls
>
> We ourselves just completed a Firewall POC solution.  I would recommend also being open to Fortinet as part of your 
> consideration as this is what we selected.   It’s too early to say how well we like the solution as we’re in the 
> process of implementation.  But at least during our POC,  it distinguished itself the most in a couple key categories 
> with an emphasis on making sure we have a NGFW firewall that not only works well today, but also 4-5 years from now.  
> Like you, we saw our selection of NGFW as a significant investment.  I’ll refrain from mentioning the other solutions 
> we considered, but suffice it to say that we considered all the top solutions that are performing well in NSS Labs’ new 
> Cyber Advanced Warning System.
>
> Our testing included Ixia Breaking Point tests, which I would recommend you consider as part of your evaluation if you 
> have time to do it.  We also captured live traffic from our Production environment and sent it to several other 
> solutions simultaneously using a Gigamon.  This was valuable for seeing the manageability and effectiveness of each of 
> the solutions against each other, but not very useful when considering performance.  We also ran other security tests 
> outside the Breaking Point to look at the effectiveness of each tool.  But by far, the results of the Breaking Point 
> tests revealed the most distinction of the products we evaluated.
>
> I know Ixia offers Test Consulting for a relatively modest fee, as well as some security consulting firms.  There might 
> be other ways to get a Breaking Point or a different stress-testing tool from Spirent or others.  But needless to say, 
> it was very enlightening to see the differences between each of the solutions under heavy stress when all inspection 
> (including Application awareness) and logging was turned on.
>
> --
> Mike Ferguson
> Chapman University
> Network Operations Manager
> 714-744-7873
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Carroll, 
> Tim
> Sent: Thursday, June 18, 2015 7:00 AM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: [SECURITY] Next Generation Firewalls
>
> All,
>
> Roane State Community College is in the process of reviewing next generation firewalls.  Since this is a significant 
> investment, I would be interested in hearing from the community what you are using, your experience, why you made the 
> choice and your satisfaction with the vendor chosen.
>
> Thanks in advance for any feedback.
>
> Regards,
>
> Tim Carroll
> Assistant Vice President and Chief Information Officer Information Technology Roane State Community College
>
> ________________________________
>
> This email is intended for the addressee and may contain privileged information. If you are not the addressee, you are 
> not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this 
> has been sent to you in error, please delete the email and notify us by replying to this email immediately.
>
> ________________________________
>
> Never give out your username or password to anyone. This includes any accounts you have such as: FGCU, bank and credit 
> card accounts, and other personal accounts.

--
Brandon Dick
Network Engineer
Information Systems
Murray State University
Phone: (270) 809-3694
Fax:   (270) 809-3465

 

MSU Information Systems staff will never ask for your password or other confidential information via email.