Fortinet vs Sophos? Help choose a NGFW solution that can replace Microsoft TMG.

It depends. If you don’t need to pre-authenticate your OWA/SharePoint users before they reach your server, then FortiGate on its own could do the job. But keep in mind that FortiGate is not a Reverse Proxy solution. Yes, FortiGate can do OWA and SharePoint publishing on its own (with Virtual IPs or Server Load Balancing), and it can scan that traffic with IPS/Antimalware/DLP/Web Filter/Antispam, but it cannot authenticate the users on behalf of the OWA or SharePoint. It can inspect SSL traffic, but it cannot perform SSL Offloading for these services. Also, FortiGate cannot do URL rewriting (necessary, for example, if you want to automatically redirect all clients who are accessing your OWA server from HTTP to HTTPS). So, if you are looking for a full-fledged reverse proxy solution, then a FortiWeb is required.

On the other hand, FortiGate can serve pretty well like a Web Proxy (if sized appropriately). It supports Web Caching and PAC script. It also supports SSO with AD, Novell and RADIUS, so it is a great alternative to TMG in this respect. Gaps, as mentioned, are related to Reverse Proxy functionality: External User SSO Authentication and SSL Offloading are missing.

Fortinet went a long way to replace the TMG with the FortiWeb, so the transition should not be a problem for savvy users who understand the basic principles of a WAF and know that FortiWeb is not an UTM device.

Our experience with the Fortinet tech support was almost entirely positive. Never did they tell us that something is not their issue or that some other vendor’s product is responsible for our problems – they always helped us as much as they could. For example, recently I’ve had some trouble connecting the FortiMail with an IBM StorWize storage via iSCSI. Fortinet tech support really dive into the problem, while IBM support almost immediately responded that the FortiMail is not supported as an iSCSI host, and that we should try to connect from a supported iSCSI host (Windows). Naturally, the problem was on the IBM side. And we always get the impression they are really trying to resolve the issue at hand, they’re not just referencing you to some random documentation and giving generic recommendations (like ‘restart the device’, ‘upgrade the firmware’, etc.). But, I must say that I’m talking from the Fortinet Gold Partner perspective, I don’t really have much insight on how they treat end users. Except that we had no complaints so far. Off course, this is a two-way street. You have to do your part well, and describe the problem (and diagnostic steps already performed) thoroughly, so that they are able to really help you and not waist their (and yours) time on basic diagnostics.

We have no experience with Sophos.

I have used both Sophos and Fortinet products in production and I have found the Sophos UTM appliances (hardware and virtual) to be a better fit most of the time -- with a few caveats which I will touch on below. In both instances, the transition from TMG will be mostly straightforward. The main hang-ups will be with the VIP/load balancing and SSL. For some reason that completely escapes me, both of these vendors make getting valid certificates onto their boxes unnecessarily difficult -- the Fortinet appliances more so than the Sophos UTM appliances. At one point a Fortinet engineer had to write an entire manual on how to get an SSL certificate uploaded successfully on the 4.x firmware.

Sophos: The one feature that is missing (and this makes some amount of sense) from the Sophos appliance is BITS caching for updates. Other than that, Sophos offers a full replacement for TMG on UTM9. The XG platform also offers a replacement for the TMG; however, some of the rumblings about upcoming releases suggests that Sophos is going to give XG the Apple iOS treatment and "streamline" the interface...potentially cutting out/hiding some functionality. On the effectiveness of the NGFW, Sophos is mostly good but has a few issues blocking all pieces of an application. For instance, we had to build custom blocking rules for OpenVPN (the vpn was being used to bypass the content filter) because the default Application Control wasn't effectively blocking the application.

Fortinet: If it wasn't for Fortinet's terrible tech support we would still be deploying Fortigates exclusively. So perhaps that answers your last question right upfront. FortiWeb is not absolutely required for what you are proposing; however, the FortiWeb does make the transition from TMG much easier as the FortiWeb is purpose-built to do what you are requiring. Related, the AD-integration used with Fortinet is one of the strongest implementations we have used: The SSO agents ability to poll data from the DCs without an agent allows the use of SSO with non-Windows machines that are bound to AD, which we have used extensively at both educational institutions and shops running CentOS. Transitioning to Fortinet is relatively simple: The UI makes a lot more sense than it did in the old 4.x releases, the firewall rules are straight-forward, and the reverse proxy settings are well-documented.

I missed the bit about their tech support. It really does leave a lot to be desired. Most of the issues you’re able to sort out yourself or make use of the forums available. The issues are generally the same across the board so you’ll most likely find a solution or something similar to help point you in the right direction.

I don’t really know Sophos all that well so can’t comment on that particular piece of kit.

However in terms of moving from TMG and Cisco ASA to NGFW the process is quite seamless. Aside from if you’re using TMG to do URL forwarding you’ll have to do a bit of a custom jobby to get that going. The only means of doing URL forwarding is by utilising the explicit proxy feature. Not exactly the same but close enough.

The Fortigate isn’t able to host any certificates for exchange or any of the like. The only certificates that you’re able to upload on to it are the ones specifically used for ssl inspection, vpn, wifi and to prevent certificate warnings when connecting to the browser based management console.

We’ve not needed to use FortiWeb as of yet as the Fortigate covers all of the customers requirements. One thing that I can suggest is an absolute must for logging is a FortiAnalyzer. The virtual edition works very well and comes in at much lower cost.

Try Barracuda Loadbalancer ADC. Worked for me to replace TMG at a way lower pricepoint than any NGFW.

Hi reviewer362526,

In addition to the already excellent points covered by Michael above, here are answers to your queries:

The Web Application Firewall (WAF) module running in the new Sophos XG Firewall is the same as that in Sophos UTM 9.X. Meaning, the XG Firewall inherits ALL web server protection features present in Sophos UTM. Put simply, just like Sophos UTM, the XG Firewall also offers a FULL and seamless replacement for the TMG.

About the concern Michael has raised related to the "streamlined" interface in XG Firewall that "could result in cutting out/hiding some functionality" - the new UI in XG Firewall is meant to provide quick access to all the features you need without unnecessary complexity. Rest assured, neither does the XG Firewall cut out or hide any WAF feature of Sophos UTM nor do we plan to do so :)

In fact, the XG Firewall goes a step ahead of Sophos UTM and makes the transition from TMG even smoother with its ALL NEW pre-defined WAF policy templates that let you protect common applications like Microsoft Exchange or SharePoint fast. Simply select them from a list, provide some basic information and the template takes care of the rest. It sets all the inbound/ outbound firewall rules and security settings for you automatically - displaying the final policy in a statement in plain English!

Also, check out this TMG replacement guide by Sophos:
www.sophos.com

Coming to your queries related to Fortinet:

1. Is a FortiWeb appliance absolutely required on top of a FortiGate Firewall...?
As mentioned by Michael, you do not necessarily need a FortiWeb appliance on top of a FortiGate unit to fulfill the requirements you cited above. Reason being, with the new FOS 5.4.0 released a week back, FortGate has caught up a lot as far as features related to protecting web servers is concerned. That said, FortiGate still doesn't have a proper WAF. It seems to be a collection of Web Application attack block by signature, maybe taken from their IPS/AppControl.

2. Are there any major TMG feature gaps missing from the Fortinet’s?
Yes, FortiGate still doesn't support following TMG features:
- Reverse Proxy
- Reverse Proxy SSL Offloading and
- Reverse Proxy Authentication

Coming back your 1st query, if you need these "must-have" TMG features, you MUST buy a FortiWeb appliance (which is priced separately) on top of a FortiGate unit!

3. Is Fortinet's tech support as bad as I’ve read on a few threads?
Again, as mentioned by Michael, Fortinet's tech support is just horrible.

Feel free to get back if you need further assistance with this :)

Unfortunately I don’t have experienced with both Fortinet and Sophos, I would recommend the member to try out WebSense as it would cover all his/her requirements and more.

If you want my word on NGFW, it doesn't include Sophos nor Fortinet. Those
are "light" UTM solutions who see mostly "clean" networks even when they
are seriously compromised.

If you want to get serious, choose either Palo Alto Networks or Checkpoint
Security appliances.

Our company produce our own range of high performing IDS/IPS appliances,
which have the highest visibility. you can check them at: www.aensis.com

take a loot also to this solution
www.stormshield.eu
this has a better UTM based on RFCs, Sophos is always the best for proxy features

There are many arguments for choosing Stonegate.

Most definitely Fortinet been far longer involved in the firewall business
than SOPHOS better maturity and functionality.