One of the most popular comparisons on IT Central Station is Cisco ASA vs Fortinet FortiGate.
People like you are trying to decide which one is best for their company. Can you help them out?
What is the biggest difference between Cisco ASA and Fortinet FortiGate? Which of these two solutions would you recommend to a colleague evaluating Firewall solutions and why?
Thanks for helping your peers make the best decision!
Fortinet FGs: Great devices, relatively easy to deploy and maintain. Cheaper than most devices of their kind. If you're looking for a lot of features at a relatively low price point this is the way to go. However, beware of Fortinet's promises performance-wise, if you take this route you'll want to over-dimension your device a bit, otherwise you will not be activating the features you're buying. Stability and reliability is OK (careful with software upgrades as they tend to break some things).
Cisco ASA: My personal preference because of the peace of mind they provide (specially if it's your phone that rings every time something breaks). Not as friendly as Fortinet, takes effort deploy and maintain. They are more expensive and offer less features, but they do the work they are built for, and they do it exceptionally. If you are looking for stability, reliability and great support, and you don't mind spending some extra dollars then this is the way to go, Firepower adds some of the missing features that other vendors offer, but not as well integrated IMO. They are improving on that regard, but still lag behind other vendors with UTM devices.
Cisco has been playing catchup for years with regards to firewalls, they still don't have it. Personal preference is PA however I would also recommend Fortinet hands down over the Cisco ASA if my job depended on it.
Cisco ASA is an excellent product if you don't need UTM capabilities and will be leveraging other security solutions to complete your security architecture. We recently replaced our ASA with Fortinet as the latter provided a UTM device that was more inline with our strategy to simplify our architecture and operations. The Fortinet VDOM approach is miles ahead of Cisco providing flexibility in how we deploy our security appliance which would be much more difficult with the ASA. Even though we are a Cisco shop, the FortiGate has proven to be easier to manage and gets the job done, no issues after almost 1 year of operation. Other benefits include the lower cost, less complexity in licensing and the FortiOS Security Fabric which can extend seamlessly to incorporate switches and APs allowing you to easily build out your security infrastructure and manage it all through a single pane of glass with FortiAnalyzer and FortiManager integrated into the box. What more can you ask for?
1. The biggest difference between the two is the pricing. You can get a higher model of FortiGate with all the bells and whistles for a quarter of the price of the basic model of the Cisco Firepower (cisco's next gen firewalls).
2. Cisco ASA will be end of production pretty soon. I am unsure if they will continue to sell the ASA with Firepower bundle.
3. The only upside of buying Cisco these days is for the TAC support which of course comes with a huge cost of smartnet support cost.
4. The down side of FortiGate is that their support isn't as great as Cisco. So if you know what you are doing you can get by with FortiGate just fine and save a bunch of money in the process. It is not that difficult to work with FortiGate.
5. My suggestion is do a Proof of Concept with both the hardware on site and evaluate the performance and ease of use. Your sales rep for Cisco and FortiGate should be able to get you a demo device.
6. Also key when choosing a firewall is understanding the nature of your traffic. For example: My previous company dealt with a lot of bid traffic which are really small packets but in large numbers and the Palo Alto firewall that we brought for almost $500K could not handle it, hence do your due diligence and understand the traffic that will be passing through the firewall.
7. Evaluate the firewall to see if it can handle east-west traffic security (zero trust deployment).
In Comparison between Cisco ASA and Fortinet, I can recommend always Fortinet is Ahead of Cisco. Being deployed both firewalls into our managed environment I have better experience with Fortinet,
1. FortiGate Hardware is seen to be providing better performance in front of Cisco where Hardware issues are almost NIL. Failover between devices is seamless comparing Cisco ASA
2. The port density and type (Copper/fiber) comes along with Any FortiGate hardware at his throughput comparison level is high and you will have privilege to deploy firewall in your customize scenarios. Which further gives cost advantage.
3. The VDOM management concept is one of the differentiated factor where manageability and sharing firewall in multi environment projects is saves cost.
4. Forti manager and Forti analyzer are best to manage multiple firewalls in single pane.
5. Both firewalls Support most NGFW features. But I feel FortiGate is superior with respect to management of policies, IP based, user based, DNS based and application based.
6. Support wise FortiGate is seen advance in front of Cisco TAC.
7. Mainly, you will not see or less IOS bugs, vulnerabilities in Foregate where Cisco you have to constant keep upgrading with frequent IOS releases.
8. You will see more API integration options with FortiGate than ASA to customize, automate some of the operational cases.
Before I respond completely, does it matter if the bandwidth is compromised while all firewall apps are active?
My experience with Fortinet was heavy overhead while their firewall apps were active. This was with a 1GHz Verizon FIOS business account (1 GHz up AND download). Hardwired endpoints and WiFi connections using Fortigate APs were under 20 devices. We were below 100 MHz and was confirmed with my 3rd party whom I had a 5 day a week 8 hours/day support account. That is a greater than 90% overhead. The Fortinet device was a 90-D router - that was overkill for what my company size was and yet, still had that performance.
In order to answer that question a few things needs to be understood about the current environment.
For small to medium business where funding is a concern, the Fortinet are a very good long term solution. If you are deploying an External and Internal environment, you could leverage a combination of both where the Cisco ASA is on the internal and Fortinet on the external.
Fortinet’s are easier to deploy and there security approach is top end.
ASA are a bit more difficult and with the FirePower are known to be an issue when deploying and pushing out policies.
I’d be more inclined to go with the Fortinet’s than ASA’s is staff and resources are limited.
Hello, I recommend Cisco ASA, it is very consistence, powerful, flexible and interoperability that is the main goal of Cisco products. I always recommend to my client ASA if they need Firewall only.
Fortigate is a good product, easy to implement and manage, it is also less expensive compare to ASA, I most of the time recommend Fortinet to a client who have limited budget for security, so by choosing Fortigate, the client can use the other services such as antivirus, malware protection, application control and so on.
So in summary the choice is not made base on the device, but base on the customer infrastructure, budget and technical resource they have to manage the devices.
Cheers,
The biggest difference from my investigation is the drill down detail available with the Fortinet. If it were up to me, I would have went with the Fortinet, but administration couldn’t justify the additional cost differential.
As UTM forti is the best choice but if you wanna add IPS and IDS fonction it's better to use Cisco FIREPOWER. in our case we are using the two solutions. That keeps each performance.
Cisco FW for peace of mind
Entre las dos opciones recomiendo Fortifate sobre Cisco ASA por las siguientes razones. Si requiere funcionalidades de IPS en el Cisco ASA, se realizan a través del módulo Firepower (Antes Sourcefire) que Cisco nunca pudo integrar de manera nativa con el ASA y que por eso trabajan de manera independiente, de tal forma que para la configuración requieren de una herramienta de management diferente para su configuración. Como son módulos independientes, la inspección del paquete se hace de manera serial por cada una las funcionalidades de seguridad habilitada. Este tipo de arquitectura de hardware deriva en la enorme degradación del performance al habilitar funcionalidades de manera creciente. Por la anterior razón es que Cisco esta depreciando el Cisco ASA y reemplazándolo con la plataforma Cisco Firepower que adquirió y que finalmente ganó la batalla..
Unfortunately I have no real production experiences with FG (just a little limited in LAB) so I can not pronounce a relevant court. Based on this, I think FG has the advantage in the accelerated hardware while ASA has a wider range of features and greater possibilities for fine tuning and of course there is still unbeatable support. With ASA, I have production experiences with models up to 5525X and a testings in the LAB with the 5585X-SSP 60 and my experiences are very positive. Of course, depending on the requirements in each particular situation, one or another device can be a better choice. Perhaps the users who do not get in the command line will prefer FG because of the unattractive Cisco GUI, but users like me who '' grew up '' on cli it will not be important for the decision.
If you are Cisco house, go for Cisco ASA but i will prefer Cisco Firepower series. Manage an ASA+FIREPOWER series really time consuming.
(From the above here you can see just a firewall but Cisco have different naming + license + usage + OS. Newbie in Cisco firewall product will get frustrated, even some "senior" engineer do not know how to play the Cisco firewall product too.
Personally i will prefer Fortigate if just compare between (Cisco and Fortinet)
If you are comparing PA, Checkpoint, Fortinet and Cisco. PA will be the top selection.
There is a lot discussion about the firewall brand out there.
Eventually, all are control by company budget. If you have unlimited budget, i can get all the brand for different purpose and meet all the security compliance.
Considering and recommending any equipment relay on demands, than environment, than possible sources.
In my case there was no so much and not so heavy demands.
I would like to find simple solution in term of maintenance, licencing for environment with lack of human resources in small office.
Based, more or less, on previous my choice would be FortiGate.
Correct me if I'm wrong, but I feel that user should spend more effort and money on Cisco.
However, name of the game should not be: Producer vs Producer, but "You have to have it", just use any available.
This is only end user opinion.
Only CISCO ASA and ASAv benefits from integration with highest grade Multi-factor Authentication product, CASQUE SNR. For Whitepapers see www.linkedin.com
I'll recommend Fortinet.
I'll recommend Fortinet.