I work for an IT company that provides the latest End-to-End ICT integrated solutions. We are currently evaluating Cisco Firepower NGFW and Fortinet FortiGate.
What would you say are the biggest differences between the two? Which would you recommend?
Thanks for your help! I appreciate it.
Firepower requires significant systems to suit adjacent to an ASA to support IPS and other aspects of the solution. FortiGate does not require a significant investment in systems and offers a number of cloud-based options to move to a near turn-key solution. In addition, VPN implementation and other tools and instrumentation fit well within a comprehensive compliance solution including various scanners.
In my opinion, the entry price point for the two solutions and the ongoing manageability of the platform tips the scale heavily in Fortinet’s corner. I tend to prefer systems that appear in Gartner’s upper right quadrant and in my opinion, Cisco has to play significant “catch up” and have significantly improved in the last 24 months but they are still behind.
We are partners for both products and as a security practice, we recommend Fortinet over Cisco for security. Fortinet offers improved security efficacy, performance, and cost. Cisco has dropped off badly in analysts' reports recently and we hardly see them in serious security conversations on this side of the world.
The FortiGate is a good firewall for the price. Out of the box, it runs great. As time progresses, nine months/one year into the updates it isn't running as well. I think overall is it still okay for the most part. Price is big for many customers and the FortiGate is a good value. The Cisco FTD or ASA w/Firepower is also a good firewall. The FTD has quite a bit of compute and resources. The Snort engine does a good job of identifying traffic and flagging traffic that needs more analysis. The ASA functions run as virtual on the ASA as Lina. So all your Site-to Site VPN and Anyconnect work from this side of the firewall. The ASA with Firepower is almost a legacy firewall that isn't as fast as the FTD but it still gets the job done. Unless you need the legacy connections I would go the FTD route. The ASA architecture of hardware is going the route of the FTD. Once the Anyconnect was added to FTD it is the way to go. The real value comes in the integration with all the other Cisco products. Umbrella, AMP4Endpoint, ISE, Stealthwatch, and Cloudlock, all integrate directly with the Cisco Firepower NGFW to give you visibility with Cisco Threat Response. Honestly, with the right API, you can get the same integration with the FortiGate. I would say that with the right ordering schedule you can get a bundled package that is pretty price competitive.
Another consideration is what are you replacing when you are putting this firewall in? Make sure that you are getting the right throughput solution that can handle the traffic. Cisco CDO makes migration fairly easy if you are migrating old ASAs. If you are replacing a FortiGate it might be best to stay in that direction.
If you are going to be managing all of these firewalls and keeping them updated I would not hesitate to go the Cisco FTD route. Using Cisco Threat Response operationalizes security management.
If you need a performance appliance, Cisco is not the one. Once you start adding policies, IPS and others, it chokes.
Fortinet has customs semiconductors that can handle hardware with a tremendous amount of efficiency compared to anyone else.
I am a Cisco Academy trainer and unfortunately, I would use Fortinet any time. I even have one at home. Cisco is well known for routers and I cannot fault that, but that is the extent I would comment.
We are partners of both products and we understand that the decision goes on the side of the security strategy that they want to follow because if the driver is simplicity and also a comprehensive solution, Fortinet is by far what you should take, now if we lower the price strategy Frotinet is also cost efficient, but if your strategy only focuses on securing a perimeter which is going to stay in that condition for a very long time without being integrated into another Cisco solution, it is still a valid option.
FortiGate interface and features are easier to set up and manage
Regretfully, I have no in-hand experience on either specific firewall.
I can only comment that Fortinet remains one of the fore-bearers in Firewall technology and Cisco_Meraki has the corporate backup of Cisco.
We have a Meraki MX series Firewall and, to date, it has covered our needs comprehensively. It does tend to lend itself more towards full integration of Meraki devices throughout the network e.g Peer to Peer VPNs but hybrid networks still function well albeit a little more complicated to set up.
Either supplier will not let your client down as both are reliable vendors. I would advise your client to list the important elements of NGFW for their network and compare these. If these comparisons are balanced, and I suspect that support is equivalent from both vendors then it's down to cost.
I was un exactly your shoes a few months back. We made the decision to go with FortiGate for a few reasons:
1. The price was a no brainer. Cisco NGFW is also (in my opinion) miles behind what some of the firewalls can do nowadays.
2. The throughput of the firewall: I chose to go with the 501-E model of the FortiGates. It has 2x 10G interfaces and a total throughput of about 30Gbps I think (don’t quote me on this).
3. Ease of configuration: The FortiGates are one of the easiest firewalls to configure. They do have their own bugs but if you find a stable release, you’d be very satisfied with these firewalls.
I would still prefer a Palo Alto over a Fortinet firewall but they will come at a huge price tag!
The biggest difference is the ease of use and deployment.
Fortinet has a simple user interface and they seem to have a better UI/UX design than cisco.
While cisco is also a market leader and good with firewalling technologies the ease of use is not there. This is coming from someone that started learning with cisco products.
@reviewer1171122 I am a Cisco Academy Trainer. I would not use ASA and Java, simple as that. Fortinet most important feature as many others, lies that is the only thing in the market that has ASIC chips (semiconductors) that can handle traffic and inspection. It does not rely on its CPU so it does not choke when lots of policies are being added. I have FGT40 at home and CPU is idling at 1 per cent. I do have VoiP IP BX and mail servers and attacks galore, still holds. I had an ASA 5506 and got rid of it in 2 weeks. Had enough.
I am not going to mention the price because, at the end of the day, the price of something cheap turns very expensive.
I had a Cisco ASA and got fed up. That Java interface, that extra module for IPS, it was a total headache.
Fortinet has spent serious money with ASIC (Application Specific Integrated Circuits) chips so the hardware can take care and leave the CPU at low revs. The interface is great and that Java disaster goes, but regardless of that the efficiency and real protection, well see NSLABS reports, nothing more to say.
Cisco invented the router, then purchased a switch company, then they pretended to know RF (Radio Frequency or wireless). Sorry, it's not on. Not even with the purchase or Ironport. Fortinet is the way to go. I am a Cisco Academy trainer and after this but the truth is one and only one.
By the way, the appliance I have also comes with 10 licenses for endpoint security clients (Forticlient). Not bad, but Symantec Endpoint Security is better, especially when it comes to layer 2.
I worked on Stormshield, I'm currently using FortiGate, so it's hard for me to compare it with Cisco. I am happy with Forti, support is good. However, they sometimes have bugs in the firmware. Forti is easy to configure, at a basic price it has a lot of options, a free VPN client, VPN SSL portal with large, and sandbox options.