Sales Director at a tech vendor with 51-200 employees
Vendor
2017-07-18T14:02:58Z
Jul 18, 2017
Hi,
It's very hard to compare brand name of firewalls and you did not clarify specific models. Normally, an IT is often using a firewall and suggest that brand name. Actually, it will depend on what bundle of service you choose in each brand name of firewall. Of course, Palo Alto - it's worth it.
My suggestion is base on your requirement of security and your budget, then read the specs of each brand name and choose whether the firewall is right to your network.
Head of Operations at a tech services company with 51-200 employees
Consultant
2017-07-18T13:22:55Z
Jul 18, 2017
Are you limiting the results are a specific reason?
The larger question here is what do they need? There is no one best, each one has a good pro and con list to compare. (do they need web filtering, geo ip blocking, layer 7 filtering, detail qos control, redundant link fail over, load balancing, client access, reports, automated reports, etc) There are a lot of open questions that can help anyone tailor what would be best to use.
My personal experience with those mentioned is to go with Palo Alto. It has a good rock solid and stable OS and can be configured to most anything your client would need.
Fortinet's: The OS has many issues with memory even when you over spec the unit. You will find yourself having to restart it pretty often. It does have a decent configuration gui. (My personal opinion unless it's a OS/Firmware upgrade the unit should never need rebooted).
Check Point: At least the units I have had the wonderful time working with, have been very "finicky", granted the last one I seen was about two years ago now, which imo is a good thing. I was not impressed.
Firewalls I did not see mentioned Cisco ASA/Firepower, Cisco Meraki, SonicWall, PFSense, Adtran.
I do like the Cisco Units, though not for the faint of heart. Even the new ones you will find yourself in the shell often. That said there is a reason that most Datacenters use them, they have been around a long time and know how to build a good product.
Meraki: These have surprised me. They are as good as the Palo Alto FWs and the recent (time is relative) acquisition of OpenDNS/Umbrella into their security stack is a good blend. Easy to configure, A good option if the client will be in the FW making changes. When Paired with other Meraki units the Single Pane of Glass configuration is a plus. The Reporting is a nice feature with the ability to alert on. The Layer 7 Filtering and QOS is super well thought out. Really, really easy to configure. I can walk most anyone through a setup.
SonicWall: Just mentioning their name gives me headaches. Even after Dell purchased them the product isn't any better again just my opinion. They are easy to setup, and that is all I will give them.
PFSense: I love OpenSource products, PFSense has a good plugin list and is easy to make your own. It is not for everyone. The recent last few firmware/OS upgrades introduced a better gui interface. Rock Solid (as long as you have good hardware.) They just work. You will however need to know the product well. Some configuration places can be confusing. Such as setting up Traffic Shaping is not as simple as in the others, "in a click of a button".
Adtran: Adtran does not get mentioned enough. These units are good and do exactly what they are told. Never have to be rebooted unless you upgrading the firmware/os on the units. They are fast and as the phrase goes "they just work". The GUI is still a little dated when compared to others in the market, Once you get use to it though your golden. The Shell is near identical to the Cisco, so for Cisco guys it's an easy go between. They started out as a Voice vendor product, as you know voice is never allowed to go down and that is how their switches, routers, etc are.
So to recap: It depends on what you want to do.
In your original list, The Palo Alto is the winner.
If you want to Expand it to the larger list I would say the Meraki if you want a good gui experience and support.
If you just want it to work with a ton of no extra cost add-ons the PFSense is the next option if you're willing to put the effort into learning it inside and out, which only the hardcore guys seem to do.
CEO & Sr. Information Security Consultant at a tech services company with 1-10 employees
Consultant
2017-07-18T12:46:30Z
Jul 18, 2017
I have worked on PA, CP, & Fortinet. I found Fortinet to be the most capable and best common interface for overall usage. As stated above, I found PA's to be overpriced for what they give you. Based on my monitoring this sector, CP & PA are trying ot catch up to Fortinet's and Cisco's ecosystem approaches. Cisco's Ecosystem, since I brought it up, still requires a user to know too many different interfaces and leads to configuration issues.
If you are thinking about the cost of the product , then go with Fortinet. Fortinet products are cheep when compare to PA or Checkpoint. Whereas the performance of the box is not mentioned on the datasheet. You have to rethink the value based real world traffic.
For stable network m opinion is PA or checkpoint. Both devices have certain their own features which may not be replace by other device.
I would you to consult with the SE who can understand your requirement and unique features required to your organization.
My opinion about firewalls --> FORTI (FortiGate) is the best out of those 3:Fortinet, Palo Alto, Check Point.
Why? 1. Price (TCO), 2. Wide and complex functionality, 3. More userfriendly interface than ChPoint. Check Point is too expensive (my private opinion) compared with its functionality (the brand costs).
Having worked for Nokia and Check Point for eight years as a Senior S.E., and SonicWALL, and also being very familiar with Palo, Fortinet, Cisco & Sophos, I'd say it all comes to the customer's requirements.
When I was Director of Engineering at Intel for their FW/VPN, I asked marketing for the numbers of how much of our customer base was using the FW component of our product which was called and marketed a VPN. An astounding 48 per cent used the FW. I immediately had our gateway rebranded "Intel FW/VPN".
According to IDC we were number 2 of market share at 14% behind Bottle at 20%.
Unfortunately Intel bought our product as a "BB" (buy and bury). They took our code and put it on an ASIC chip and stamped it onto their NICks (network interface cards).
Being the director of engineering I was responsible for a good portion of that.
Best is subjective and I think there are many factors that could influence a decision.
Fortinet are generally less expensive but I have found their management and product splintering to be cumbersome, support is hit and miss and depends on the partner you work with. That said if you are on a budget it could be a good choice.
Palo have a good management platform, excellent firewalls and with the release of their new firewalls (820/50) have some cost effective solutions at the lower end, support is very good.
Checkpoint have a very good management platform, average firewalls with sometimes over complex configuration and from experience I would have to say awful support.
As always I would try to figure out what requirements and capabilities you are looking for, where the strengths and weaknesses of your security team lie and work from there. The solution should be built to fit your business requirements and budget.
I find Palo Alto being complex to deploy and complexity is the enemy of networking.
Checkpoint is good but I have not have much hands on experience with it.
Fortigate firewall is what I will recommend because of the below reason.
1.Fortinet offers the best support experience when you have issues.
2.The Fortiguard services offers regular updates to fortigate to keep it as secure as possible.
3.The fortigate is not a complex firewall to work with hence deployment is easy and clear.
4.Fortigate give more visibility on what is happening on the network and offers sandboxing on entry level devices to better protect the network from zero day threats.
5.Provides more flexibility when defining network policy eg you can use captive portal ,device identity or mac to ip binding to control access to the network and internet.
6.Fortinet always keep you up to date on the latest threats and how to proactively block them on the fortigate like experienced in recent threats like wannacry and Petya.
If i were you,
I'll get the budget with PaloAlto and deploy with Fortigate 100D on HO , 30E on branches and Meraki Cloud Switches on branches.
So, you will cover from Layer 1 and 2 with Meraki Switch and Layer 3 - 7 with Frotigate. Win win solution.
Becasue PaloAlto cost will equal to combine with Fortigae + Meraki.
Documentation Department Manager with 10,001+ employees
MSP
2017-07-19T04:02:00Z
Jul 19, 2017
Hi,
I think Fortinet is the best because its WebUI is the most friendly. Palso Alto is also OK. Check Point seems to require more technical knowledge.
I am sorry that I cannot find a colleagure to help you because I am on a trip recently.
Technical Product Specialist at a tech services company with 1,001-5,000 employees
Consultant
2017-07-19T02:02:56Z
Jul 19, 2017
Palo alto gives you a complete solution to secure all your perimeter starts with next generation firewall then wildfire then traps... everyone is secured.You have a visibility of all your traffic and user activity with the help of wildfire you get verdict in just 5 minutes time and if you have traps then Your endpoint secure. Palo alto have a autofocus with help of that we can see all the file verdict and activity.yes if we compare in the price then there is challenge.... it's up to you .In market alto is there and BMW also there but both have their own security standard..Palo alto networks not giving you a just a firewall it's giving you a full solution .
I will be installing Fortinet in a month or two. Palo Alto is excellent also, but I like the overall functionality/features and easy to use interface of Fortinet a bit better.
David
Main criteria is having the staff trained who can support and understand the features, which ever you select. Another consideration is how well your choice integrates with other security components (existing and planned) and applications. This was a BIG deal when my college went through the selection process.
I have already used both Fortinet and Checkpoint in different ways though; fortinet as an appliance and Checkpoint as a software installed in a server.
The difference between the two solutions is huge:
It was tough to change the public IP Address of Checkpoint server as there was a need for mail exchange with Checkpoint to be authorized to change IP system
· Checkpoint solution did not have any IPS nor Antivirus solution integrated
· Checkpoint server did not have web filtering possibilities
· Checkpoint is strong and fast at analyzing and applying network rules to the data exchange between a server and different clients
· Fortinet as an applying is much easier to maintain
· Fortinet includes by default an IPS, antivirus and web filtering
· Fortinet does not have a storage disk for logs by default
Fortinet seems to me better than checkpoint and easier to maintain as it is an appliance. Checkpoint offers more possibilities in terms of configuration as you can use basic unix commands on the server.
I hope I have given some useful information about at least two firewall solutions.
I am most familiar with Checkpoint and if you have the budget I would recommend you give it serious consideration. In our organization, Checkpoint IPS is a vital part of our security strategy and provides very current protection against threats ie.. it can see into the traffic and block things like some of the crypto threats from entering your organization etc..
I have also had some exposure to Palo Alto and their tools for visibility into immediately occuring issues appears very good. On the "Free" side of things, I have worked quite a bit with PFSense which seems both easy to setup and maintain with basic firewall rules and OK but not great visibility into firewall transactions ie. What is happening right now. I have also used the "Untangle" firewall over time and really liked the fact that it would send a daily email of both activity (what workstations/devices did the previous day/week/month etc..) as well as some info about threats. Untangle is not on par with the other large systems mentioned already but it may been many of your needs if your budget is a challenge.
I would strongly urge you to consider a firewall in the context of an overall Security Strategy that involves various layers of security and is also tightly co-ordinated with your network design (having a DMZ etc)
Remember that your security strategy needs to be all about the layers:
Border Firewall needs to be beefy (Ram and CPU) and smart enough to handle current threats.
You need an email filter (spam firewall) which might be incorporated into your border firewall, we use barracuda for that as it is a specialized appliance for dealing with email threats.
You need to consider proxy capability so that outgoing web traffic is less likely to suffer from web attacks.
Reverse Proxy is important to protect any services you offer through the internet (webmail etc..) You might want to consider a big gun like F5, or using something built into a border firewall.
Network Intrusion is a tricky aspect of your security to manage. You should have some sort of SIEM or central logging and correlation system where all logs from every system accumulate (windows, Linux, Switches, Other appliances etc...) this system should analyze these logs in real time and give you information about correlated events, ie 100+ login attempts in over a minute for an admin account from a workstation that earlier logged a malware infection might indicate that that workstation didn't get protected properly by your anti malware. I believe the gold standard in this is SPLUNK but you better have a very large budget for this to use SPLUNK as it is licensed based on transactions. I have seen Manage Engine Event Log analyzer work very well for this as well (cheaper than SPLUNK by orders of magnitude).
Your antimalware system today needs to have the smarts to know if a process or executable is misbehaving so something that ties into global threat reputations, can stop behavior based malware and provides excellent reporting. You might Consider options like McAfee, Sophos, Carbon Black, there are a number of very good choices in this area.
Sorry for the very long reply but just asking for information on Firewalls without context of the rest of your solution makes it difficult to give you a meaningful reply.
I find Palo Alto being complex to deploy and complexity is the enemy of networking.
Check Point is good but I have not have much hands on experience with it.
Fortigate firewall is what I will recommend because of the below reason.
1.Fortinet offers the best support experience when you have issues.
2.The Fortiguard services offers regular updates to fortigate to keep it as secure as possible.
3.The fortigate is not a complex firewall to work with hence deployment is easy and clear.
4.Fortigate give more visibility on what is happening on the network and offers sandboxing on entry level devices to better protect the network from zero day threats.
5.Provides more flexibility when defining network policy eg you can use captive portal ,device identity or mac to ip binding to control access to the network and internet.
6.Fortinet always keep you up to date on the latest threats and how to proactively block them on the fortigate like experienced in recent threats like wannacry and Petya.
Fortinet antivirus is par to none. All of the top vendors listed use another vendors antivirus. The first week we configured our fortigates we caught a ransomeware virus that was embedded in a yahoo email. We were able to see where and who tried to open the email and remoted into the computer to verify it. NSS Labs as well as others can help give some perspective into how the products work. I was a little hesitant at first to turn on most of the features (url filtering included) but knew that these firewalls had enough power to handle the load. We have an HA pair and updates are a breeze, no downtime. We have a sandbox and log fortianalyzer that actually works with the fortigates. These also have built in DDOS filters that prevented an attack on its own. This gives you great insite into who is trying to test your vulnerabilities and support can use this to help you block them in the future.
Cybersecurity & IT Operations Professional (VirtualCxO) at BrainWave Consulting Company, LLC
Consultant
2017-07-18T14:37:07Z
Jul 18, 2017
You really need to understand what the budget and objectives are. All of the firewalls mentioned above have their strengths and their advocates. I personally prefer Fortigate because they provide substantial functionality at very good price points, and that for the most part, once you learn the UI, you can manage the entire family of products.
Also, very few products have both a useful GUI and solid CLI to satisfy people who prefer either option, or just need to make a known change quickly in multiple places or devices.
It all comes down to what environment, cost, budget and support you have. But I tend to recommend Fortinet more often than not.
IT Security Consultant and Platform Architect at E.I. du Pont de Nemours and Company
Real User
2017-07-18T14:28:52Z
Jul 18, 2017
I already rule out Palo Alto, after trying to configure one for FireMon syslog reporting. You have to enable a syslog repeater, then configure for every single rule. CheckPoints seem most secure, but more difficult to configure than zone-based Junipers. I've only dealt with a few Fortigates, but they seem more limited in function than the CheckPoints and Junipers.
IT Manager / Systems Engineer 30 years at a energy/utilities company with 501-1,000 employees
Vendor
2017-07-18T14:17:51Z
Jul 18, 2017
I recently evaluated all of these as we were deciding to either upgrade and renew PaloAlto or change to another vendor. Protection was the leading factor. PaloAlto beat all the others if you turn on all the reatime protections. Check Gartner Magic Quadrant.
We compared Checkpoint, Cisco, Fortinet and 1 or 2 others with PaloAlto. We ended up going back to Palo Alto as we could not afford to have even one breach.
I would recommend Fortigate over Check-point and Palo Alto for these reasons :
1. You can almost same features with lower price for both hardware and support / license
2. Checkpoint is most expensive firewall among these listed above. Not only this, it is the most complex firewall in terms of configurations, design and troubleshooting. To manage a firewall, you need management server. You can have the management running on your gateway (firewall) but you can expect some performance issues there. Plus, all features with management server are NOT free, you have to pay to use them. Where with Fortigate, with few clicks, you ready to go.
3.NSS Lab report showing that Fortigate is capable to block many attacks over Check-point and Palo Alto and this something you might need to take in consideration as the main idea of having such device is to protect your network.
Head of Operations at a tech services company with 51-200 employees
Consultant
2017-07-18T14:08:58Z
Jul 18, 2017
Are you limiting the results are a specific reason?
The larger question here is what do they need? There is no one best, each one has a good pro and con list to compare. (do they need web filtering, geo ip blocking, layer 7 filtering, detail qos control, redundant link fail over, load balancing, client access, reports, automated reports, etc) There are a lot of open questions that can help anyone tailor what would be best to use.
My personal experience with those mentioned is to go with Palo Alto. It has a good rock solid and stable OS and can be configured to most anything your client would need.
Fortinet’s: The OS has many issues with memory even when you over spec the unit. You will find yourself having to restart it pretty often. It does have a decent configuration gui. (My personal opinion unless it’s a OS/Firmware upgrade the unit should never need rebooted).
Check Point: At least the units I have had the wonderful time working with, have been very “finicky”, granted the last one I seen was about two years ago now, which imo is a good thing. I was not impressed.
Firewalls I did not see mentioned Cisco ASA/Firepower, Cisco Meraki, SonicWall, PFSense, Adtran.
I do like the Cisco Units, though not for the faint of heart. Even the new ones you will find yourself in the shell often. That said there is a reason that most Datacenters use them, they have been around a long time and know how to build a good product.
Meraki: These have surprised me. They are as good as the Palo Alto FWs and the recent (time is relative) acquisition of OpenDNS/Umbrella into their security stack is a good blend. Easy to configure, A good option if the client will be in the FW making changes. When Paired with other Meraki units the Single Pane of Glass configuration is a plus. The Reporting is a nice feature with the ability to alert on. The Layer 7 Filtering and QOS is super well thought out. Really, really easy to configure. I can walk most anyone through a setup.
SonicWall: Just mentioning their name gives me headaches. Even after Dell purchased them the product isn’t any better again just my opinion. They are easy to setup, and that is all I will give them.
PFSense: I love OpenSource products, PFSense has a good plugin list and is easy to make your own. It is not for everyone. The recent last few firmware/OS upgrades introduced a better gui interface. Rock Solid (as long as you have good hardware.) They just work. You will however need to know the product well. Some configuration places can be confusing. Such as setting up Traffic Shaping is not as simple as in the others, “in a click of a button”.
Adtran: Adtran does not get mentioned enough. These units are good and do exactly what they are told. Never have to be rebooted unless you upgrading the firmware/os on the units. They are fast and as the phrase goes “they just work”. The GUI is still a little dated when compared to others in the market, Once you get use to it though your golden. The Shell is near identical to the Cisco, so for Cisco guys it’s an easy go between. They started out as a Voice vendor product, as you know voice is never allowed to go down and that is how their switches, routers, etc are.
So to recap: It depends on what you want to do.
In your original list, The Palo Alto is the winner.
If you want to Expand it to the larger list I would say the Meraki if you want a good gui experience and support.
If you just want it to work with a ton of no extra cost add-ons the PFSense is the next option if you’re willing to put the effort into learning it inside and out, which only the hardcore guys seem to do.
Senior IT SW Solution Architect - RnD Dpt. at a tech vendor with 51-200 employees
Vendor
2017-07-18T13:01:35Z
Jul 18, 2017
Hi,
The attached revised Gartner Report –published on July 10th, 2017- subjected the Enterprise Network Firewalls trade-offs (including the 3 brands requested),
can help our colleague to find the answers within objective context and make his conclusions.
We use Fortinet and Juniper. In Small and Mid-Range we replace Juniper with Fortinet. The administration is easier. JunOS is great but you must read and learn a lot and the fortinet web-gui is better. For administrators with lower skills the Fortinet is better. But you must learn and work with all products. You must know the appliances and the features from your appliance to build a secure infrastructure. Fortinet has solutions from iot, firewall, wifi, mail, web, dos, siem, analyzer, manager, sandbox, endpoint protection to cloud. So we can use it for our solutions and we have a consolidated administration.
I would advise they consider reviewing the NSS Labs Next Generation
Firewall (NGFW) Security Value Map 2017 where they can take into
consideration the Total Cost of ownership per protected Mbps vs security
effectiveness of the products.
1. Base on the budget and network size.
2. Palo Alto with WildFire is very good but it comes with price.
3. Fortigate and Palo Alto is similar to manage and concept.
4. Check Point skills firewall admin is not that easy to find and also didn't lead the market.
Yes, we are planning to purchase Palo Alto 3020, 820 & 220 firewalls for our Head Office and Branch Offices. Can you please share the Comparisons among Fortinet, Palo Alto & Check Point?
Check Point is the best. Awesome product. Visibility, security and user friendly. Of course don’t forget, Check Point has the best support team in the world. But the product is expensive.
Fortinet is good but if you want to more security and more visibility, choose Check Point. Fortinet is grooving. I like Fortinet because of the cost.
Palo Alto is just scrap. They stole firewall software from Juniper. And it is not a cheap product. In my opinion, forget Palo Alto.
Firewalls serve as a crucial line of defense against cyber threats by monitoring and controlling incoming and outgoing network traffic.
Firewalls analyze network traffic based on pre-defined security rules to block unauthorized access, providing a barrier between trusted internal networks and untrusted external networks. They are essential for organizations seeking to protect their digital assets.
What are some critical features of Firewalls?
Intrusion Detection: Monitors...
Hi,
It's very hard to compare brand name of firewalls and you did not clarify specific models. Normally, an IT is often using a firewall and suggest that brand name. Actually, it will depend on what bundle of service you choose in each brand name of firewall. Of course, Palo Alto - it's worth it.
My suggestion is base on your requirement of security and your budget, then read the specs of each brand name and choose whether the firewall is right to your network.
Are you limiting the results are a specific reason?
The larger question here is what do they need? There is no one best, each one has a good pro and con list to compare. (do they need web filtering, geo ip blocking, layer 7 filtering, detail qos control, redundant link fail over, load balancing, client access, reports, automated reports, etc) There are a lot of open questions that can help anyone tailor what would be best to use.
My personal experience with those mentioned is to go with Palo Alto. It has a good rock solid and stable OS and can be configured to most anything your client would need.
Fortinet's: The OS has many issues with memory even when you over spec the unit. You will find yourself having to restart it pretty often. It does have a decent configuration gui. (My personal opinion unless it's a OS/Firmware upgrade the unit should never need rebooted).
Check Point: At least the units I have had the wonderful time working with, have been very "finicky", granted the last one I seen was about two years ago now, which imo is a good thing. I was not impressed.
Firewalls I did not see mentioned Cisco ASA/Firepower, Cisco Meraki, SonicWall, PFSense, Adtran.
I do like the Cisco Units, though not for the faint of heart. Even the new ones you will find yourself in the shell often. That said there is a reason that most Datacenters use them, they have been around a long time and know how to build a good product.
Meraki: These have surprised me. They are as good as the Palo Alto FWs and the recent (time is relative) acquisition of OpenDNS/Umbrella into their security stack is a good blend. Easy to configure, A good option if the client will be in the FW making changes. When Paired with other Meraki units the Single Pane of Glass configuration is a plus. The Reporting is a nice feature with the ability to alert on. The Layer 7 Filtering and QOS is super well thought out. Really, really easy to configure. I can walk most anyone through a setup.
SonicWall: Just mentioning their name gives me headaches. Even after Dell purchased them the product isn't any better again just my opinion. They are easy to setup, and that is all I will give them.
PFSense: I love OpenSource products, PFSense has a good plugin list and is easy to make your own. It is not for everyone. The recent last few firmware/OS upgrades introduced a better gui interface. Rock Solid (as long as you have good hardware.) They just work. You will however need to know the product well. Some configuration places can be confusing. Such as setting up Traffic Shaping is not as simple as in the others, "in a click of a button".
Adtran: Adtran does not get mentioned enough. These units are good and do exactly what they are told. Never have to be rebooted unless you upgrading the firmware/os on the units. They are fast and as the phrase goes "they just work". The GUI is still a little dated when compared to others in the market, Once you get use to it though your golden. The Shell is near identical to the Cisco, so for Cisco guys it's an easy go between. They started out as a Voice vendor product, as you know voice is never allowed to go down and that is how their switches, routers, etc are.
So to recap: It depends on what you want to do.
In your original list, The Palo Alto is the winner.
If you want to Expand it to the larger list I would say the Meraki if you want a good gui experience and support.
If you just want it to work with a ton of no extra cost add-ons the PFSense is the next option if you're willing to put the effort into learning it inside and out, which only the hardcore guys seem to do.
I have worked on PA, CP, & Fortinet. I found Fortinet to be the most capable and best common interface for overall usage. As stated above, I found PA's to be overpriced for what they give you. Based on my monitoring this sector, CP & PA are trying ot catch up to Fortinet's and Cisco's ecosystem approaches. Cisco's Ecosystem, since I brought it up, still requires a user to know too many different interfaces and leads to configuration issues.
My recommendation is Fortinet.
I have experience is all flavors mentioned here.
If you are thinking about the cost of the product , then go with Fortinet. Fortinet products are cheep when compare to PA or Checkpoint. Whereas the performance of the box is not mentioned on the datasheet. You have to rethink the value based real world traffic.
For stable network m opinion is PA or checkpoint. Both devices have certain their own features which may not be replace by other device.
I would you to consult with the SE who can understand your requirement and unique features required to your organization.
my opinión : i think all vendors in security are great but i prefer FORTINET
My opinion about firewalls --> FORTI (FortiGate) is the best out of those 3:Fortinet, Palo Alto, Check Point.
Why? 1. Price (TCO), 2. Wide and complex functionality, 3. More userfriendly interface than ChPoint. Check Point is too expensive (my private opinion) compared with its functionality (the brand costs).
I haven’t got any experience with Palo Alto.
Having worked for Nokia and Check Point for eight years as a Senior S.E., and SonicWALL, and also being very familiar with Palo, Fortinet, Cisco & Sophos, I'd say it all comes to the customer's requirements.
When I was Director of Engineering at Intel for their FW/VPN, I asked marketing for the numbers of how much of our customer base was using the FW component of our product which was called and marketed a VPN. An astounding 48 per cent used the FW. I immediately had our gateway rebranded "Intel FW/VPN".
According to IDC we were number 2 of market share at 14% behind Bottle at 20%.
Unfortunately Intel bought our product as a "BB" (buy and bury). They took our code and put it on an ASIC chip and stamped it onto their NICks (network interface cards).
Being the director of engineering I was responsible for a good portion of that.
I can support on Fortinet Firewalls and its integration.
Best is subjective and I think there are many factors that could influence a decision.
Fortinet are generally less expensive but I have found their management and product splintering to be cumbersome, support is hit and miss and depends on the partner you work with. That said if you are on a budget it could be a good choice.
Palo have a good management platform, excellent firewalls and with the release of their new firewalls (820/50) have some cost effective solutions at the lower end, support is very good.
Checkpoint have a very good management platform, average firewalls with sometimes over complex configuration and from experience I would have to say awful support.
As always I would try to figure out what requirements and capabilities you are looking for, where the strengths and weaknesses of your security team lie and work from there. The solution should be built to fit your business requirements and budget.
I find Palo Alto being complex to deploy and complexity is the enemy of networking.
Checkpoint is good but I have not have much hands on experience with it.
Fortigate firewall is what I will recommend because of the below reason.
1.Fortinet offers the best support experience when you have issues.
2.The Fortiguard services offers regular updates to fortigate to keep it as secure as possible.
3.The fortigate is not a complex firewall to work with hence deployment is easy and clear.
4.Fortigate give more visibility on what is happening on the network and offers sandboxing on entry level devices to better protect the network from zero day threats.
5.Provides more flexibility when defining network policy eg you can use captive portal ,device identity or mac to ip binding to control access to the network and internet.
6.Fortinet always keep you up to date on the latest threats and how to proactively block them on the fortigate like experienced in recent threats like wannacry and Petya.
I hope this will help.
If i were you,
I'll get the budget with PaloAlto and deploy with Fortigate 100D on HO , 30E on branches and Meraki Cloud Switches on branches.
So, you will cover from Layer 1 and 2 with Meraki Switch and Layer 3 - 7 with Frotigate. Win win solution.
Becasue PaloAlto cost will equal to combine with Fortigae + Meraki.
Hi,
I think Fortinet is the best because its WebUI is the most friendly. Palso Alto is also OK. Check Point seems to require more technical knowledge.
I am sorry that I cannot find a colleagure to help you because I am on a trip recently.
王兰芳
Hi,
In my opinion, there’s no clear winner between 3 of them.
They follow their perspective view of security, and in their perspective they are the winner.
If you need high throughput, Fortinet will be the best.
If you need more up to date or get as quick as possible for zero day attack, you could choose Check Point.
If you concern more to applications latency, Palo Alto is the right answer.
Although the differences in number between them is still debatable.
So If I choose my firewall, I will stick to the budget, purpose, and where it will be placed.
Regards,
-Nuki
Palo alto gives you a complete solution to secure all your perimeter starts with next generation firewall then wildfire then traps... everyone is secured.You have a visibility of all your traffic and user activity with the help of wildfire you get verdict in just 5 minutes time and if you have traps then Your endpoint secure. Palo alto have a autofocus with help of that we can see all the file verdict and activity.yes if we compare in the price then there is challenge.... it's up to you .In market alto is there and BMW also there but both have their own security standard..Palo alto networks not giving you a just a firewall it's giving you a full solution .
I will be installing Fortinet in a month or two. Palo Alto is excellent also, but I like the overall functionality/features and easy to use interface of Fortinet a bit better.
David
Hate to say it but, "It depends"
I prefer Palo Alto but it is the most expensive.
Main criteria is having the staff trained who can support and understand the features, which ever you select. Another consideration is how well your choice integrates with other security components (existing and planned) and applications. This was a BIG deal when my college went through the selection process.
Michael McKeever
Checkpoint
I have already used both Fortinet and Checkpoint in different ways though; fortinet as an appliance and Checkpoint as a software installed in a server.
The difference between the two solutions is huge:
It was tough to change the public IP Address of Checkpoint server as there was a need for mail exchange with Checkpoint to be authorized to change IP system
· Checkpoint solution did not have any IPS nor Antivirus solution integrated
· Checkpoint server did not have web filtering possibilities
· Checkpoint is strong and fast at analyzing and applying network rules to the data exchange between a server and different clients
· Fortinet as an applying is much easier to maintain
· Fortinet includes by default an IPS, antivirus and web filtering
· Fortinet does not have a storage disk for logs by default
Fortinet seems to me better than checkpoint and easier to maintain as it is an appliance. Checkpoint offers more possibilities in terms of configuration as you can use basic unix commands on the server.
I hope I have given some useful information about at least two firewall solutions.
All the best
Ob
I am most familiar with Checkpoint and if you have the budget I would recommend you give it serious consideration. In our organization, Checkpoint IPS is a vital part of our security strategy and provides very current protection against threats ie.. it can see into the traffic and block things like some of the crypto threats from entering your organization etc..
I have also had some exposure to Palo Alto and their tools for visibility into immediately occuring issues appears very good. On the "Free" side of things, I have worked quite a bit with PFSense which seems both easy to setup and maintain with basic firewall rules and OK but not great visibility into firewall transactions ie. What is happening right now. I have also used the "Untangle" firewall over time and really liked the fact that it would send a daily email of both activity (what workstations/devices did the previous day/week/month etc..) as well as some info about threats. Untangle is not on par with the other large systems mentioned already but it may been many of your needs if your budget is a challenge.
I would strongly urge you to consider a firewall in the context of an overall Security Strategy that involves various layers of security and is also tightly co-ordinated with your network design (having a DMZ etc)
Remember that your security strategy needs to be all about the layers:
Border Firewall needs to be beefy (Ram and CPU) and smart enough to handle current threats.
You need an email filter (spam firewall) which might be incorporated into your border firewall, we use barracuda for that as it is a specialized appliance for dealing with email threats.
You need to consider proxy capability so that outgoing web traffic is less likely to suffer from web attacks.
Reverse Proxy is important to protect any services you offer through the internet (webmail etc..) You might want to consider a big gun like F5, or using something built into a border firewall.
Network Intrusion is a tricky aspect of your security to manage. You should have some sort of SIEM or central logging and correlation system where all logs from every system accumulate (windows, Linux, Switches, Other appliances etc...) this system should analyze these logs in real time and give you information about correlated events, ie 100+ login attempts in over a minute for an admin account from a workstation that earlier logged a malware infection might indicate that that workstation didn't get protected properly by your anti malware. I believe the gold standard in this is SPLUNK but you better have a very large budget for this to use SPLUNK as it is licensed based on transactions. I have seen Manage Engine Event Log analyzer work very well for this as well (cheaper than SPLUNK by orders of magnitude).
Your antimalware system today needs to have the smarts to know if a process or executable is misbehaving so something that ties into global threat reputations, can stop behavior based malware and provides excellent reporting. You might Consider options like McAfee, Sophos, Carbon Black, there are a number of very good choices in this area.
Sorry for the very long reply but just asking for information on Firewalls without context of the rest of your solution makes it difficult to give you a meaningful reply.
Good luck with your quest!
VIC
=+=
We are using fortinet 201e for Small enterprise which is best in the market and cheaper than others
Palo Alto is for very large enterprise companies and mover expensive no local support in medal east
Never heard about Check Point
I find Palo Alto being complex to deploy and complexity is the enemy of networking.
Check Point is good but I have not have much hands on experience with it.
Fortigate firewall is what I will recommend because of the below reason.
1.Fortinet offers the best support experience when you have issues.
2.The Fortiguard services offers regular updates to fortigate to keep it as secure as possible.
3.The fortigate is not a complex firewall to work with hence deployment is easy and clear.
4.Fortigate give more visibility on what is happening on the network and offers sandboxing on entry level devices to better protect the network from zero day threats.
5.Provides more flexibility when defining network policy eg you can use captive portal ,device identity or mac to ip binding to control access to the network and internet.
6.Fortinet always keep you up to date on the latest threats and how to proactively block them on the fortigate like experienced in recent threats like wannacry and Petya.
I hope this will help.
Fortinet antivirus is par to none. All of the top vendors listed use another vendors antivirus. The first week we configured our fortigates we caught a ransomeware virus that was embedded in a yahoo email. We were able to see where and who tried to open the email and remoted into the computer to verify it. NSS Labs as well as others can help give some perspective into how the products work. I was a little hesitant at first to turn on most of the features (url filtering included) but knew that these firewalls had enough power to handle the load. We have an HA pair and updates are a breeze, no downtime. We have a sandbox and log fortianalyzer that actually works with the fortigates. These also have built in DDOS filters that prevented an attack on its own. This gives you great insite into who is trying to test your vulnerabilities and support can use this to help you block them in the future.
I have never used either Palo Alto or Check Point, but the fortigate is a pretty good firewall, easy to setup and maintain.
You really need to understand what the budget and objectives are. All of the firewalls mentioned above have their strengths and their advocates. I personally prefer Fortigate because they provide substantial functionality at very good price points, and that for the most part, once you learn the UI, you can manage the entire family of products.
Also, very few products have both a useful GUI and solid CLI to satisfy people who prefer either option, or just need to make a known change quickly in multiple places or devices.
It all comes down to what environment, cost, budget and support you have. But I tend to recommend Fortinet more often than not.
-ASB
I already rule out Palo Alto, after trying to configure one for FireMon syslog reporting. You have to enable a syslog repeater, then configure for every single rule. CheckPoints seem most secure, but more difficult to configure than zone-based Junipers. I've only dealt with a few Fortigates, but they seem more limited in function than the CheckPoints and Junipers.
I recently evaluated all of these as we were deciding to either upgrade and renew PaloAlto or change to another vendor. Protection was the leading factor. PaloAlto beat all the others if you turn on all the reatime protections. Check Gartner Magic Quadrant.
We compared Checkpoint, Cisco, Fortinet and 1 or 2 others with PaloAlto. We ended up going back to Palo Alto as we could not afford to have even one breach.
I would recommend Fortigate over Check-point and Palo Alto for these reasons :
1. You can almost same features with lower price for both hardware and support / license
2. Checkpoint is most expensive firewall among these listed above. Not only this, it is the most complex firewall in terms of configurations, design and troubleshooting. To manage a firewall, you need management server. You can have the management running on your gateway (firewall) but you can expect some performance issues there. Plus, all features with management server are NOT free, you have to pay to use them. Where with Fortigate, with few clicks, you ready to go.
3.NSS Lab report showing that Fortigate is capable to block many attacks over Check-point and Palo Alto and this something you might need to take in consideration as the main idea of having such device is to protect your network.
Are you limiting the results are a specific reason?
The larger question here is what do they need? There is no one best, each one has a good pro and con list to compare. (do they need web filtering, geo ip blocking, layer 7 filtering, detail qos control, redundant link fail over, load balancing, client access, reports, automated reports, etc) There are a lot of open questions that can help anyone tailor what would be best to use.
My personal experience with those mentioned is to go with Palo Alto. It has a good rock solid and stable OS and can be configured to most anything your client would need.
Fortinet’s: The OS has many issues with memory even when you over spec the unit. You will find yourself having to restart it pretty often. It does have a decent configuration gui. (My personal opinion unless it’s a OS/Firmware upgrade the unit should never need rebooted).
Check Point: At least the units I have had the wonderful time working with, have been very “finicky”, granted the last one I seen was about two years ago now, which imo is a good thing. I was not impressed.
Firewalls I did not see mentioned Cisco ASA/Firepower, Cisco Meraki, SonicWall, PFSense, Adtran.
I do like the Cisco Units, though not for the faint of heart. Even the new ones you will find yourself in the shell often. That said there is a reason that most Datacenters use them, they have been around a long time and know how to build a good product.
Meraki: These have surprised me. They are as good as the Palo Alto FWs and the recent (time is relative) acquisition of OpenDNS/Umbrella into their security stack is a good blend. Easy to configure, A good option if the client will be in the FW making changes. When Paired with other Meraki units the Single Pane of Glass configuration is a plus. The Reporting is a nice feature with the ability to alert on. The Layer 7 Filtering and QOS is super well thought out. Really, really easy to configure. I can walk most anyone through a setup.
SonicWall: Just mentioning their name gives me headaches. Even after Dell purchased them the product isn’t any better again just my opinion. They are easy to setup, and that is all I will give them.
PFSense: I love OpenSource products, PFSense has a good plugin list and is easy to make your own. It is not for everyone. The recent last few firmware/OS upgrades introduced a better gui interface. Rock Solid (as long as you have good hardware.) They just work. You will however need to know the product well. Some configuration places can be confusing. Such as setting up Traffic Shaping is not as simple as in the others, “in a click of a button”.
Adtran: Adtran does not get mentioned enough. These units are good and do exactly what they are told. Never have to be rebooted unless you upgrading the firmware/os on the units. They are fast and as the phrase goes “they just work”. The GUI is still a little dated when compared to others in the market, Once you get use to it though your golden. The Shell is near identical to the Cisco, so for Cisco guys it’s an easy go between. They started out as a Voice vendor product, as you know voice is never allowed to go down and that is how their switches, routers, etc are.
So to recap: It depends on what you want to do.
In your original list, The Palo Alto is the winner.
If you want to Expand it to the larger list I would say the Meraki if you want a good gui experience and support.
If you just want it to work with a ton of no extra cost add-ons the PFSense is the next option if you’re willing to put the effort into learning it inside and out, which only the hardcore guys seem to do.
They can google the comparison. That’s what I did. Fortinet is definitely better than those mentioned.
Hi,
The attached revised Gartner Report –published on July 10th, 2017- subjected the Enterprise Network Firewalls trade-offs (including the 3 brands requested),
can help our colleague to find the answers within objective context and make his conclusions.
Rgds,
We use Fortinet and Juniper. In Small and Mid-Range we replace Juniper with Fortinet. The administration is easier. JunOS is great but you must read and learn a lot and the fortinet web-gui is better. For administrators with lower skills the Fortinet is better. But you must learn and work with all products. You must know the appliances and the features from your appliance to build a secure infrastructure. Fortinet has solutions from iot, firewall, wifi, mail, web, dos, siem, analyzer, manager, sandbox, endpoint protection to cloud. So we can use it for our solutions and we have a consolidated administration.
I would advise they consider reviewing the NSS Labs Next Generation
Firewall (NGFW) Security Value Map 2017 where they can take into
consideration the Total Cost of ownership per protected Mbps vs security
effectiveness of the products.
www.nsslabs.com
I have also attached the 2016 findings.
Kind regards,
Belinda
1. Base on the budget and network size.
2. Palo Alto with WildFire is very good but it comes with price.
3. Fortigate and Palo Alto is similar to manage and concept.
4. Check Point skills firewall admin is not that easy to find and also didn't lead the market.
Yes, we are planning to purchase Palo Alto 3020, 820 & 220 firewalls for our Head Office and Branch Offices. Can you please share the Comparisons among Fortinet, Palo Alto & Check Point?
Regards,
Ghayur Abbas
FortiNet
Hello all;
My advice is Check Point, because the best solition of IPS IDS is CheckPoint.
Hi,
can’t say much about Check Point or Palo Alto. Fortinet was ok, but we moved to Cyberoam vUTM which is more scalable, cheaper, and has HA.
Vytautas
Hi,
Check Point is the best. Awesome product. Visibility, security and user friendly. Of course don’t forget, Check Point has the best support team in the world. But the product is expensive.
Fortinet is good but if you want to more security and more visibility, choose Check Point. Fortinet is grooving. I like Fortinet because of the cost.
Palo Alto is just scrap. They stole firewall software from Juniper. And it is not a cheap product. In my opinion, forget Palo Alto.
Hi,
It depends on their requirements. Each solution adds a different layer of value.
Fortinet