Can Sophos XG 85w handle network traffic going through Cisco switches better Than Fortigate UTM? Which one will be a better firewall for handling mobile operator network traffic going through Cisco switches?
I had experience in both platforms, and according to the scenario that you describes both will work fine. What you need to consider is which one will give you a better support when it comes to solve doubts, and for that my experience its better with Sophos. My recommendation will be to have a certified partner that comes with you in the scenario.
Network and Security Engineer at a integrator with 51-200 employees
Vendor
2016-02-11T11:24:52Z
Feb 11, 2016
In a mobile operator network usually the main concern on Firewall is on Throughput, Concurrent Connection end New connection per Second. The other "function" as L7 protection, QoS, IPS are handled by specific appliance Proxy/Packet Shaper/Video optimizer. Even NAT sometimes is performed on Router and not on Firewall.
This is because usually the numbers of mobile operator are very high compared to a Enterprise where NGFW are usually deployed.
In a top mobile operator we got very good result with high End Juniper SRX device, thanks to predictable performance number and a very scalable architecture. You can add blade to add extra performance.
When comparing ASIC vs Intel architectures, the biggest problem lies in the data, that vendors make available. Today Fortinet (ASIC) lists NGFW throughput, while they published only AV throughput in the past. Sophos (Intel) and Juniper (ASIC) list only AV throughput and WatchGuard (Intel) lists both. Also on the Firewall throughput side one lists small vs large packets, others list IMIX throughput, to make it difficult to compare by numbers.
When you do the math, you will find out, that Fortinet (ASIC) has an average performance drop of 92,8%, Juniper (ASIC) 89,4%, Sophos (Intel) 84,2% and WatchGuard (Intel) 67,1% (79,8% on Freescale based systems).
Possibly the Juniper and Sophos numbers should be a bit higher, because AV throughput only was used for the calculation (they don't publish NGFW/UTM throughput).
Still the numbers of WatchGuard show, that there is an advantage for the Intel platform, once UTM services get turned on. In the end it depends on the coding and solution design, if someone uses the advantages of a certain architecture to the full extent or not. WatchGuard's numbers just prove, that Sophos has plenty room to improve their code.
Just one comment about some people mentioning that intel vs ASIC is only important in routing / stateful packet inspection. Offloading session to ASIC is way much faster than using CPU not only for UTM features but also with IPSec / SSLVPN where encryption / decryption is offload to ASIC for better performance which is the reason why some CPU-Core processor vendors have ASIC circuit for only IPSec / SSL VPN because they know hardware encryption / decryption is faster than CPU.
According to the listed Sophos appliance model, this seems to be a very small shop - or someone has made a wrong recommendation regarding the model.
Both vendors should not have any problems with any kind of switches. Problems could start come up, when you have to support link aggregation - but in such a small shop, that is probably not the case and a device with just 4 LAN ports isn't the optimal for such scenarios anyway.
I have seen a mentioning, that Sophos is Intel based, while Fortinet is ASIC based. This part is true - not true is assuming, that this would be an advantage for UTM services. ASIC's are great for routing and stateful packet inspection - but can not follow up Intel processors, when it comes to processing UTM services. In the specs, you will see great numbers for firewall throughput on ASIC's and quite poor performance at AV throughput - the hardest part of the UTM filtering. Opposite to that you will see lower figures for firewall throughput on Intel based systems and better specs when it comes to UTM throughput (less performance degradation).
If you selected your device based on the needed UTM throughput, the architecture - ASIC or Intel shouldn't be so important. But you may experience a price difference for appliances with the same UTM throughput, based on the architecture.
I don't know, why only Sophos and Fortinet made it to the list, since SonicWall and WatchGuard have also nice models for shops of this size.
When buying a firewall, one should consider a lot of factors. One of the most important is manageability. Everyone has his own preferences and you can't say, if one or the other brand will better fit the preferences of some user. You have to run a test, set up a demo network and see, what each of the products is the one, that you prefer to manage.
The second factor is picking the right model for the throughput you need today and in near future. If you plan to use UTM services, UTM throughput (AV+IPS+..) is the most important criteria, followed by number of supported connections and/or users/devices you plan to protect with it.
The third factor is the price. Once you found out what model you need to look at, it shouldn't be difficult to get the price for it. But you have to be very careful to read the pricing correctly. Some products come with one set of options/features/support, while another product may come with a completely different set and you have to purchase these options separately.
I differ from your perspective or opinion regarding the size or the application of the Sophos Platform/Appliances. Sophos has the capability to offer Telco Industry solutions as well (they have the ability to create up to a 10 Cluster System at any model). Please do not misguide the users, since Fortinet is a direct competitor for Sophos, and both have their competences and challenges.
You are intending to use a really small appliance, so perhaps your question (for me) seems misguided. What kind of mobile traffic are you refering to? It all depends on the expected throughput, and perhaps both systmes would work fine (all depending on your expected throughput). This is what really matter, awith the support. Sophos, without being perfect, is fa rbetter support and engineering that Fortinet. Hope this helps ;)
Managing Director at a tech services company with 501-1,000 employees
Real User
2016-02-02T21:59:36Z
Feb 2, 2016
SOPHOS XG is certainly the BEST option of the day from a cost perspective, deployment perspective & value for money. Besides you have options where you can buy on software or an appliance. But you gotta keep in mind the product is excellent only for Small & Medium business market segment.
On the other hand FORTINET has its own value & credibility with several options to choose form the features & throughput. That the more features you would like to have the higher the cost. There is a bit of complexity in configuring the appliance but it is all manageable. The high uniqueness about Fortinet is they have models from the Small SOHO users to the Telco level industry.
I don't think either would be the best choice at handling this type of
traffic -- they are both designed for "normal" Windows/Mac PC type
endpoints. Neither have the best agents for this kind of traffic patterns.
You might be better off with a Cisco ASA but then that will require a
pretty big expenditure to cope with the level of throughput involved.
Network Analyst at a financial services firm with 1,001-5,000 employees
Vendor
2016-02-02T17:30:59Z
Feb 2, 2016
This is a tricky question to answer. Both will technically be able to
handle it based on a 100Mb/s or 1000Gb/s interface. The Sophos Xg has a
higher specification and IPS throughput. How much network throughtput you
intend to use will need to be taken into account when you choose your
appliance. If you choose fortinet the equivalent to the Sophos Xg 85w would
be a fortigate 90D. Before choosing either I would highly recommend that
you use a traffic monitoring/profiling tool to understand what types of
traffic you are using most and this wilk pretty much sway you towards
Sophos or fortigate retrospectively. You may also want to consider other
alternatives such as Mcafee Next Gen Firewall or Dell Sonicwall how provide
alternate solutions. You also need to bear in my the cost of training and
certification in each of the products as well
Head IT Services at a healthcare company with 501-1,000 employees
Vendor
2016-02-02T16:25:54Z
Feb 2, 2016
Hi, Currently I am using a Fortigate 1000D firewall on my network and it is working perfectly. I have not used the Sophos XG so I cannot really differentiate the two devices when it comes to handling traffic from Cisco switches.
As for mobile traffic, Gartner's report places Fortigate as a leader in enterprise networks. So, I believe Fortigate should your best bet.
Q: Can Sophos XG 85w handle network traffic going through Cisco switches better Than Fortigate UTM?
A: Both can handle traffic going through Cisco switches but it depends about the amount of traffic needs to be processed / inspected.
Sophos XG 85w is Intel-Based hardware appliance with max firewall throughput as 2000 Mbps. So, with ALL UTM features enabled on the box, the overall throughput might be less than 300 Mbps which is something you have to take in consideration when choosing between Sohpos & Fortigate. Keep in mind that Fortigate use ASIC processors hardware which capable to process traffic at near line-rate network speeds without degradation in performance.
Q: Which one will be a better firewall for handling mobile operator network traffic going through Cisco switches?
A: The largest model is XG 750 where the max firewall throughput 140,000 Mbps. According to Gartner report, Sophos is not a key player on large enterprise market such as carries, enterprise-data center and ISP due to limited processing capabilities. Fortinet offers these capabilities with its FortiGate 5000 series Chassis-based Platforms with FortiASIC processors to offer groundbreaking throughput and proven resilience.
Principal Network Engineer at a tech services company with 51-200 employees
Consultant
2016-02-02T15:06:58Z
Feb 2, 2016
1) Both should work – however there are some questions
2) Number of actual devices protected by the firewall
a. Servers
b. PCs/laptops
c. Mobile devices
d. Any other IoT devices (wearables, beacons or sensors)
3) Is the firewall the only wireless AP in the network?
4) How many subnets and/or VLAN’s are protected by the firewall?
If the number of devices is less than 50, my only concern is the WiFi capability of the devices. (in other words – how many WiFi devices are expected to be using the firewall). Once you get above 20 Wireless devices, you need to look at a stronger wireless solution vs having the firewall do everything. I have seen 50 person office have 130 devices on the network because people have phones and tablets, wearables and then there are guests that want to use the guest WiFi network.
Manager of Security Services at Orion Technology Services
MSP
2016-02-02T15:01:46Z
Feb 2, 2016
Your quality of throughput is going to partly depend on the number of users you have sitting behind the firewall, what type of work they'll be performing, and size of the Internet circuit. If you can answer those questions then you'll be off to a better start in making a decision. I have a few handy sizing guides somewhere, I'll need to look for them. Feel free to reach out to me and I'd be happy to show you some of the cool features the XG series has and I think I can still get a free demo version you can play with too.
Sr Network/MIS Manager at a healthcare company with 501-1,000 employees
Vendor
2016-02-02T14:43:29Z
Feb 2, 2016
Would the Cisco Switches have an impact vs say HP or Extreme switches? I am assuming your solution has the correct size of Cisco switch for the amount of traffic you are expected to pass.
Senior Technical Consultant - Network and Security at a tech services company with 51-200 employees
Consultant
2016-02-02T14:14:58Z
Feb 2, 2016
Both the firewalls will handle the traffic very smoothly and is
inter-operable. Considering the user friendliness and ease of Operation i
will recommend fortigate. Also if we compare sophos with fortigate,
fortigate is more stable product than sophos.
Principal Network Engineer at a tech services company with 51-200 employees
Consultant
2016-02-02T13:54:34Z
Feb 2, 2016
In my experience such a question actually yields more questions in response than a simple answer.
1) Both should work – however there are some questions
2) Number of actual devices protected by the firewall
a. Servers
b. PCs/laptops
c. Mobile devices
d. Any other IoT devices (wearables, beacons or sensors)
3) Is the firewall the only wireless AP in the network?
4) How many subnets and/or VLAN’s are protected by the firewall?
If the number of devices is less than 50, my only concern is the WiFi capability of the devices. (in other words – how many WiFi devices are expected to be using the firewall). Once you get above 20 Wireless devices, you need to look at a stronger wireless solution vs having the firewall do everything. I have seen 50 person offices have 130 devices on the network because people have phones and tablets, wearables and then there are guests that want to use the guest WiFi network.
I think that it will handle the traffict very well, however you didn´t specify the fortigate model.
Something that I have learnded in the hardway is the "max concurrent connection/sessions" that a firwall can handle. Your Firewall can have a very good througput but if the max concurrent connection it reached the stability of the Firewall can be compromised. There are tools like limit the simultaneus connection of a client/device to avoid reache the limit, but is better to have a Firewall with a very good amount of "max concurrent connections/sessions". For example, a DELL NSA 3600 can support 300000 simultaneous connections (depends on the configuration).
Another thing that you have to look, when chosing a new firewall, it the set of tools taht are included with the product, many of the products that are in the market have analisys tools sold separately. In other solutions, like Kerio Control, you have all-in-one solution.
One last thing, Check licenses, many times you will see a Firewall capable of 1 million of things, but the base license include 1% of that.
Security Senior Network Engineer with 1,001-5,000 employees
Real User
2016-02-02T13:17:47Z
Feb 2, 2016
Fortinet has a bettere end known tradition on Service Providers and the product from Sophos is relatively new. The question has not a complete answer if you don’t specify what Fortinet UTM model are we talking about.
Networking/Security Engineer with 51-200 employees
Vendor
2016-02-02T13:03:18Z
Feb 2, 2016
I work a lot with the equipment of Fortinet, but also know the Sophos
manufacturer.
Both Fortinet and Sophos are excellent safety equipment, very easy to work
with, manage, administer and implement.
I give support to customers who have networks with CISCO Switches that
connect with UTMs the Fortigate, and work without any problems, but you
should ensure that the porpagação of VLANs is done properly, otherwise I
think both manufacturers work well with CISCO.
Firewalls are essential components of network security, acting as barriers between secure internal networks and potentially hazardous external connections. These tools monitor and control incoming and outgoing network traffic based on predetermined security rules.
I had experience in both platforms, and according to the scenario that you describes both will work fine. What you need to consider is which one will give you a better support when it comes to solve doubts, and for that my experience its better with Sophos. My recommendation will be to have a certified partner that comes with you in the scenario.
In a mobile operator network usually the main concern on Firewall is on Throughput, Concurrent Connection end New connection per Second. The other "function" as L7 protection, QoS, IPS are handled by specific appliance Proxy/Packet Shaper/Video optimizer. Even NAT sometimes is performed on Router and not on Firewall.
This is because usually the numbers of mobile operator are very high compared to a Enterprise where NGFW are usually deployed.
In a top mobile operator we got very good result with high End Juniper SRX device, thanks to predictable performance number and a very scalable architecture. You can add blade to add extra performance.
When comparing ASIC vs Intel architectures, the biggest problem lies in the data, that vendors make available. Today Fortinet (ASIC) lists NGFW throughput, while they published only AV throughput in the past. Sophos (Intel) and Juniper (ASIC) list only AV throughput and WatchGuard (Intel) lists both. Also on the Firewall throughput side one lists small vs large packets, others list IMIX throughput, to make it difficult to compare by numbers.
When you do the math, you will find out, that Fortinet (ASIC) has an average performance drop of 92,8%, Juniper (ASIC) 89,4%, Sophos (Intel) 84,2% and WatchGuard (Intel) 67,1% (79,8% on Freescale based systems).
Possibly the Juniper and Sophos numbers should be a bit higher, because AV throughput only was used for the calculation (they don't publish NGFW/UTM throughput).
Still the numbers of WatchGuard show, that there is an advantage for the Intel platform, once UTM services get turned on. In the end it depends on the coding and solution design, if someone uses the advantages of a certain architecture to the full extent or not. WatchGuard's numbers just prove, that Sophos has plenty room to improve their code.
Just one comment about some people mentioning that intel vs ASIC is only important in routing / stateful packet inspection. Offloading session to ASIC is way much faster than using CPU not only for UTM features but also with IPSec / SSLVPN where encryption / decryption is offload to ASIC for better performance which is the reason why some CPU-Core processor vendors have ASIC circuit for only IPSec / SSL VPN because they know hardware encryption / decryption is faster than CPU.
According to the listed Sophos appliance model, this seems to be a very small shop - or someone has made a wrong recommendation regarding the model.
Both vendors should not have any problems with any kind of switches. Problems could start come up, when you have to support link aggregation - but in such a small shop, that is probably not the case and a device with just 4 LAN ports isn't the optimal for such scenarios anyway.
I have seen a mentioning, that Sophos is Intel based, while Fortinet is ASIC based. This part is true - not true is assuming, that this would be an advantage for UTM services. ASIC's are great for routing and stateful packet inspection - but can not follow up Intel processors, when it comes to processing UTM services. In the specs, you will see great numbers for firewall throughput on ASIC's and quite poor performance at AV throughput - the hardest part of the UTM filtering. Opposite to that you will see lower figures for firewall throughput on Intel based systems and better specs when it comes to UTM throughput (less performance degradation).
If you selected your device based on the needed UTM throughput, the architecture - ASIC or Intel shouldn't be so important. But you may experience a price difference for appliances with the same UTM throughput, based on the architecture.
I don't know, why only Sophos and Fortinet made it to the list, since SonicWall and WatchGuard have also nice models for shops of this size.
When buying a firewall, one should consider a lot of factors. One of the most important is manageability. Everyone has his own preferences and you can't say, if one or the other brand will better fit the preferences of some user. You have to run a test, set up a demo network and see, what each of the products is the one, that you prefer to manage.
The second factor is picking the right model for the throughput you need today and in near future. If you plan to use UTM services, UTM throughput (AV+IPS+..) is the most important criteria, followed by number of supported connections and/or users/devices you plan to protect with it.
The third factor is the price. Once you found out what model you need to look at, it shouldn't be difficult to get the price for it. But you have to be very careful to read the pricing correctly. Some products come with one set of options/features/support, while another product may come with a completely different set and you have to purchase these options separately.
I differ from your perspective or opinion regarding the size or the application of the Sophos Platform/Appliances. Sophos has the capability to offer Telco Industry solutions as well (they have the ability to create up to a 10 Cluster System at any model). Please do not misguide the users, since Fortinet is a direct competitor for Sophos, and both have their competences and challenges.
You are intending to use a really small appliance, so perhaps your question (for me) seems misguided. What kind of mobile traffic are you refering to? It all depends on the expected throughput, and perhaps both systmes would work fine (all depending on your expected throughput). This is what really matter, awith the support. Sophos, without being perfect, is fa rbetter support and engineering that Fortinet. Hope this helps ;)
SOPHOS XG is certainly the BEST option of the day from a cost perspective, deployment perspective & value for money. Besides you have options where you can buy on software or an appliance. But you gotta keep in mind the product is excellent only for Small & Medium business market segment.
On the other hand FORTINET has its own value & credibility with several options to choose form the features & throughput. That the more features you would like to have the higher the cost. There is a bit of complexity in configuring the appliance but it is all manageable. The high uniqueness about Fortinet is they have models from the Small SOHO users to the Telco level industry.
I don't think either would be the best choice at handling this type of
traffic -- they are both designed for "normal" Windows/Mac PC type
endpoints. Neither have the best agents for this kind of traffic patterns.
You might be better off with a Cisco ASA but then that will require a
pretty big expenditure to cope with the level of throughput involved.
This is a tricky question to answer. Both will technically be able to
handle it based on a 100Mb/s or 1000Gb/s interface. The Sophos Xg has a
higher specification and IPS throughput. How much network throughtput you
intend to use will need to be taken into account when you choose your
appliance. If you choose fortinet the equivalent to the Sophos Xg 85w would
be a fortigate 90D. Before choosing either I would highly recommend that
you use a traffic monitoring/profiling tool to understand what types of
traffic you are using most and this wilk pretty much sway you towards
Sophos or fortigate retrospectively. You may also want to consider other
alternatives such as Mcafee Next Gen Firewall or Dell Sonicwall how provide
alternate solutions. You also need to bear in my the cost of training and
certification in each of the products as well
I don't understand the relevance of what sort of switches the traffic is
going through?
How much traffic and what are you trying to do exactly with the firewall?
Hi, Currently I am using a Fortigate 1000D firewall on my network and it is working perfectly. I have not used the Sophos XG so I cannot really differentiate the two devices when it comes to handling traffic from Cisco switches.
As for mobile traffic, Gartner's report places Fortigate as a leader in enterprise networks. So, I believe Fortigate should your best bet.
Regards.
Ifeanyi Ndukwe
Q: Can Sophos XG 85w handle network traffic going through Cisco switches better Than Fortigate UTM?
A: Both can handle traffic going through Cisco switches but it depends about the amount of traffic needs to be processed / inspected.
Sophos XG 85w is Intel-Based hardware appliance with max firewall throughput as 2000 Mbps. So, with ALL UTM features enabled on the box, the overall throughput might be less than 300 Mbps which is something you have to take in consideration when choosing between Sohpos & Fortigate. Keep in mind that Fortigate use ASIC processors hardware which capable to process traffic at near line-rate network speeds without degradation in performance.
Q: Which one will be a better firewall for handling mobile operator network traffic going through Cisco switches?
A: The largest model is XG 750 where the max firewall throughput 140,000 Mbps. According to Gartner report, Sophos is not a key player on large enterprise market such as carries, enterprise-data center and ISP due to limited processing capabilities. Fortinet offers these capabilities with its FortiGate 5000 series Chassis-based Platforms with FortiASIC processors to offer groundbreaking throughput and proven resilience.
1) Both should work – however there are some questions
2) Number of actual devices protected by the firewall
a. Servers
b. PCs/laptops
c. Mobile devices
d. Any other IoT devices (wearables, beacons or sensors)
3) Is the firewall the only wireless AP in the network?
4) How many subnets and/or VLAN’s are protected by the firewall?
If the number of devices is less than 50, my only concern is the WiFi capability of the devices. (in other words – how many WiFi devices are expected to be using the firewall). Once you get above 20 Wireless devices, you need to look at a stronger wireless solution vs having the firewall do everything. I have seen 50 person office have 130 devices on the network because people have phones and tablets, wearables and then there are guests that want to use the guest WiFi network.
Your quality of throughput is going to partly depend on the number of users you have sitting behind the firewall, what type of work they'll be performing, and size of the Internet circuit. If you can answer those questions then you'll be off to a better start in making a decision. I have a few handy sizing guides somewhere, I'll need to look for them. Feel free to reach out to me and I'd be happy to show you some of the cool features the XG series has and I think I can still get a free demo version you can play with too.
Matt Grantham
770-330-3189
matt.grantham@oriontech.com
Would the Cisco Switches have an impact vs say HP or Extreme switches? I am assuming your solution has the correct size of Cisco switch for the amount of traffic you are expected to pass.
Both the firewalls will handle the traffic very smoothly and is
inter-operable. Considering the user friendliness and ease of Operation i
will recommend fortigate. Also if we compare sophos with fortigate,
fortigate is more stable product than sophos.
In my experience such a question actually yields more questions in response than a simple answer.
1) Both should work – however there are some questions
2) Number of actual devices protected by the firewall
a. Servers
b. PCs/laptops
c. Mobile devices
d. Any other IoT devices (wearables, beacons or sensors)
3) Is the firewall the only wireless AP in the network?
4) How many subnets and/or VLAN’s are protected by the firewall?
If the number of devices is less than 50, my only concern is the WiFi capability of the devices. (in other words – how many WiFi devices are expected to be using the firewall). Once you get above 20 Wireless devices, you need to look at a stronger wireless solution vs having the firewall do everything. I have seen 50 person offices have 130 devices on the network because people have phones and tablets, wearables and then there are guests that want to use the guest WiFi network.
I think that it will handle the traffict very well, however you didn´t specify the fortigate model.
Something that I have learnded in the hardway is the "max concurrent connection/sessions" that a firwall can handle. Your Firewall can have a very good througput but if the max concurrent connection it reached the stability of the Firewall can be compromised. There are tools like limit the simultaneus connection of a client/device to avoid reache the limit, but is better to have a Firewall with a very good amount of "max concurrent connections/sessions". For example, a DELL NSA 3600 can support 300000 simultaneous connections (depends on the configuration).
Another thing that you have to look, when chosing a new firewall, it the set of tools taht are included with the product, many of the products that are in the market have analisys tools sold separately. In other solutions, like Kerio Control, you have all-in-one solution.
One last thing, Check licenses, many times you will see a Firewall capable of 1 million of things, but the base license include 1% of that.
Please check this, i hope that this can help you:
www.fortinet.com
www.sophos.com
PS: Sorry for my english :)
Fortinet has a bettere end known tradition on Service Providers and the product from Sophos is relatively new. The question has not a complete answer if you don’t specify what Fortinet UTM model are we talking about.
I work a lot with the equipment of Fortinet, but also know the Sophos
manufacturer.
Both Fortinet and Sophos are excellent safety equipment, very easy to work
with, manage, administer and implement.
I give support to customers who have networks with CISCO Switches that
connect with UTMs the Fortigate, and work without any problems, but you
should ensure that the porpagação of VLANs is done properly, otherwise I
think both manufacturers work well with CISCO.
The standards are used by all manufacturers.