Which product do you recommend: Palo Alto Network VM-Series vs Fortinet FortiGate?
I'm researching two firewall products for a company with 1000+ employees and I'm looking for a technical comparison between Palo Alto Network VM-Series and Fortinet FortiGate Firewall.
Consultant at a tech services company with 501-1,000 employees
Reseller
2021-04-29T08:55:17Z
Apr 29, 2021
Hello Tarun, we have been designing solutions with Palo Alto Networks NGFW for 6 years now and we have 95%+ customer retention.
I would suggest looking into customer requirement on the basis of the following things, and priority is given by the customer:
1. Internet Bandwidth 2. No. Of users - In-house and users connecting from home/outside organization network. 3. Security features required - Sandoxing, DNS Security, etc. 4. Port density required on the firewall. 5. SSL decryption. 6. Deployment - On-prem or virtual DC or on Cloud. 7. HA requirement 8. MFA requirement 9. Local presence of Palo Alto/Fortinet expert team. 10. Integration for other (operational) solutions like SD-WAN, Load balancer, etc 11. Integration with other security solution like EDR/XDR or XSOAR 12. Customer's current solution (firewall/UTM and engineers/IT team working on it). 13. Customer's current IT Team strategy 14. Customer future IT strategy (to move on the cloud, etc) 15. Customer's growth and scalability in 5 years. 16. Reporting and logging requirement. 17. Customer's budget for IT Security.
Well, I guess with these parameters, and customer's priority you can recommend them a suitable solution.
Palo Alto NGFW will be best recommended for the following: 1. Deployment on the cloud - It has a very stable PANOS for VM-Series 2. Security Innovations - Considering security, in terms of today and future, Palo Alto is disruptive and groundbreaking. 3. Predictive Bandwidth - Palo Alto NGFW gives us Predictive bandwidth, and hence, once sized, it will last longer than defined. The throughput numbers are test cases of real-world scenarios, and after enabling all the features. It operates on its patented SP3 architecture and defines device throughput after enabling all security features and operational functionalities. 4. Integration with EDR/XDR and SOAR/XSOAR platforms. 5. User/SSL VPN - When you are planning for SSL VPN on Palo Alto NGFW, it will not charge you additionally for users connecting their Windows or MAC systems on NGFW over SSL VPN. For users that are Android/IOS/Linux/etc, and required additional HIP checks and Clientless VPN, there is a single subscription you will need to purchase. 6. Sandboxing - Palo Alto came up with Wildfire which is a threat intel cloud, which can be termed as Palo Alto Network's Sandboxing solution, but it does much more than that. it has a response SLA of 5 mins, where it can convert any unknown to known in 5 minutes or less. Also, after it identifies the file, it auto-updates other engines like URL filtering, DNS Security, Anti-Spyware, Bad IP and Domain list, CNC tunnel signatures. 7. Reporting and alerting - Foremost reason why users started implementing Palo Alto firewalls inside their network was to get the visibility - in terms of User-level visibility, Network traffic (depth to application layer), and Content (files and threats) level visibility. Also, logging and reporting is provisioned on the appliance itself and no additional subscription or any appliance is required, unless the customer requires the storage of logs for more time frame. The NGFW also co-relates all the events and alerts to give critical visibility like Botnets and hosts and users accessing malicious websites, or resolving malicious domains. 8. EDL - again external dynamic lists(EDL) helps you reduce the attack surface by minimizing the traffic to and from Malicious and Bad - IPs and Domains. This list is automatically updated by Palo Alto Networks by default by its threat research teams (Unit 42), Threat Intel (Wildfire), DNS Security module, and other sources. It has also a provision for you and/or the customer to integrate other third-party URL lists to be blocked. 9. Security features: -- DNS filtering - by intercepting DNS traffic, you will not need any additional solution and/or modification in your current network for protection against threats related to DNS traffic. Its DNS module is cloud-based and tightly integrated with other modules and features of NGFW. -- Credential phishing - This feature will avoid users sharing/uploading their credentials which are the same to access internal resources and external websites. This will prevent the leak of user credentials. -- ML Powered NGFW - Currently, PA NGFW is the only firewall powered by ML to prevent unknown threats in real-time. 10. Application layer firewall - complete identification of all and any traffic based on application rather than port and protocol. Not only the known but also if the application is not identified it will classify that traffic as unknown. Also, you can create a custom application as required. and many more...
Benefits in Fortigate firewall will be: 1. More port density. 2. Better SD-WAN configuration 3. Easy User interface and hence lacks granular controls. 4. Provides seamless integration with FortiToken for MFA(additional cost). 5. Seamless integration with Forti Load balancer. 6. Low cost (than Palo Alto least).
Consultant at a tech services company with 501-1,000 employees
Reseller
Apr 29, 2021
I might sound biased on Palo Alto NGFW, but I have tried the features, used them, tested them in my lab, customer labs, and real-time environment, and I am happy to see the solution deliver the features and uptime that it says and document.
Solutions Architect at a tech services company with 51-200 employees
Real User
2021-05-11T12:48:27Z
May 11, 2021
Palo Alto, Fortinet, and Checkpoint are the best NGFW. You can choose one of them.
The Fortinet advantage is the Security Fabric. Many other Fortinet's products (switches, AP, EDS, XDR, DDoS, FortiClient, etc) are integrated and a Fortigate can communicate with another product to block an attack.
Team Lead Network Infrastructure at a tech services company with 1-10 employees
Real User
2021-04-29T08:50:20Z
Apr 29, 2021
Because PA has FPGA based architecture, which no other firewall has, due to this firewall processes the traffic from all the engines simultaneously. it increase efficiency of the product and provides way better throughput as compare to other vendors. The performance of security engines of PA are better then other vendors. PA provides on-box reporting, you have to purchase forti-analyzer separately for reporting in fortinet. PA provides granular view of policies, providing insight to you which policies are used in and which are not. it also provides you the feature, that tells you which of the firewall's features are not being utilized, this way you can plan your renewal to only purchase the feature you need.
Networking Specialist at a healthcare company with 1,001-5,000 employees
Real User
2021-04-30T13:06:10Z
Apr 30, 2021
I have FortiGates and the last upgrade of firmware cut internet traffic if you use Inspection Mode Proxy-Based, recommended and more secure, you have to use Flow-based, less secure. I don't work with Palo Alto
I am an enterprise user of Fortigate and PA compares favorable to Fortinet. I have used Fortigate for a variety of reasons, but here are the most important reasons we use them (compared to PA)
1. Price versus performance 2. Fortinet has a strategic security view that is focused on security requirements rather than marketing. (PA has a distinct advantage in marketing) 3. Fortinet leadership (CEO and CTO) are focused on value and long term relationships.
Fortinet FortiGate and Palo Alto Networks VM-Series are leading network security solutions. Palo Alto Networks VM-Series is viewed as a superior product due to its comprehensive features, making it worth the higher cost.
Features: Fortinet FortiGate users highlight its robust VPN capabilities, user-friendly configuration, and threat detection efficiency. Palo Alto Networks VM-Series users value its advanced security features, integration capabilities, and consistent updates.
...
Hello Tarun, we have been designing solutions with Palo Alto Networks NGFW for 6 years now and we have 95%+ customer retention.
I would suggest looking into customer requirement on the basis of the following things, and priority is given by the customer:
1. Internet Bandwidth
2. No. Of users - In-house and users connecting from home/outside organization network.
3. Security features required - Sandoxing, DNS Security, etc.
4. Port density required on the firewall.
5. SSL decryption.
6. Deployment - On-prem or virtual DC or on Cloud.
7. HA requirement
8. MFA requirement
9. Local presence of Palo Alto/Fortinet expert team.
10. Integration for other (operational) solutions like SD-WAN, Load balancer, etc
11. Integration with other security solution like EDR/XDR or XSOAR
12. Customer's current solution (firewall/UTM and engineers/IT team working on it).
13. Customer's current IT Team strategy
14. Customer future IT strategy (to move on the cloud, etc)
15. Customer's growth and scalability in 5 years.
16. Reporting and logging requirement.
17. Customer's budget for IT Security.
Well, I guess with these parameters, and customer's priority you can recommend them a suitable solution.
Palo Alto NGFW will be best recommended for the following:
1. Deployment on the cloud - It has a very stable PANOS for VM-Series
2. Security Innovations - Considering security, in terms of today and future, Palo Alto is disruptive and groundbreaking.
3. Predictive Bandwidth - Palo Alto NGFW gives us Predictive bandwidth, and hence, once sized, it will last longer than defined. The throughput numbers are test cases of real-world scenarios, and after enabling all the features. It operates on its patented SP3 architecture and defines device throughput after enabling all security features and operational functionalities.
4. Integration with EDR/XDR and SOAR/XSOAR platforms.
5. User/SSL VPN - When you are planning for SSL VPN on Palo Alto NGFW, it will not charge you additionally for users connecting their Windows or MAC systems on NGFW over SSL VPN. For users that are Android/IOS/Linux/etc, and required additional HIP checks and Clientless VPN, there is a single subscription you will need to purchase.
6. Sandboxing - Palo Alto came up with Wildfire which is a threat intel cloud, which can be termed as Palo Alto Network's Sandboxing solution, but it does much more than that. it has a response SLA of 5 mins, where it can convert any unknown to known in 5 minutes or less. Also, after it identifies the file, it auto-updates other engines like URL filtering, DNS Security, Anti-Spyware, Bad IP and Domain list, CNC tunnel signatures.
7. Reporting and alerting - Foremost reason why users started implementing Palo Alto firewalls inside their network was to get the visibility - in terms of User-level visibility, Network traffic (depth to application layer), and Content (files and threats) level visibility. Also, logging and reporting is provisioned on the appliance itself and no additional subscription or any appliance is required, unless the customer requires the storage of logs for more time frame. The NGFW also co-relates all the events and alerts to give critical visibility like Botnets and hosts and users accessing malicious websites, or resolving malicious domains.
8. EDL - again external dynamic lists(EDL) helps you reduce the attack surface by minimizing the traffic to and from Malicious and Bad - IPs and Domains. This list is automatically updated by Palo Alto Networks by default by its threat research teams (Unit 42), Threat Intel (Wildfire), DNS Security module, and other sources. It has also a provision for you and/or the customer to integrate other third-party URL lists to be blocked.
9. Security features:
-- DNS filtering - by intercepting DNS traffic, you will not need any additional solution and/or modification in your current network for protection against threats related to DNS traffic. Its DNS module is cloud-based and tightly integrated with other modules and features of NGFW.
-- Credential phishing - This feature will avoid users sharing/uploading their credentials which are the same to access internal resources and external websites. This will prevent the leak of user credentials.
-- ML Powered NGFW - Currently, PA NGFW is the only firewall powered by ML to prevent unknown threats in real-time.
10. Application layer firewall - complete identification of all and any traffic based on application rather than port and protocol. Not only the known but also if the application is not identified it will classify that traffic as unknown. Also, you can create a custom application as required.
and many more...
Benefits in Fortigate firewall will be:
1. More port density.
2. Better SD-WAN configuration
3. Easy User interface and hence lacks granular controls.
4. Provides seamless integration with FortiToken for MFA(additional cost).
5. Seamless integration with Forti Load balancer.
6. Low cost (than Palo Alto least).
Thanks
Darshil Sanghvi
I might sound biased on Palo Alto NGFW, but I have tried the features, used them, tested them in my lab, customer labs, and real-time environment, and I am happy to see the solution deliver the features and uptime that it says and document.
Palo Alto, Fortinet, and Checkpoint are the best NGFW. You can choose one of them.
The Fortinet advantage is the Security Fabric. Many other Fortinet's products (switches, AP, EDS, XDR, DDoS, FortiClient, etc) are integrated and a Fortigate can communicate with another product to block an attack.
Because PA has FPGA based architecture, which no other firewall has, due to this firewall processes the traffic from all the engines simultaneously. it increase efficiency of the product and provides way better throughput as compare to other vendors. The performance of security engines of PA are better then other vendors. PA provides on-box reporting, you have to purchase forti-analyzer separately for reporting in fortinet. PA provides granular view of policies, providing insight to you which policies are used in and which are not. it also provides you the feature, that tells you which of the firewall's features are not being utilized, this way you can plan your renewal to only purchase the feature you need.
I have FortiGates and the last upgrade of firmware cut internet traffic if you use Inspection Mode Proxy-Based, recommended and more secure, you have to use Flow-based, less secure. I don't work with Palo Alto
I am an enterprise user of Fortigate and PA compares favorable to Fortinet. I have used Fortigate for a variety of reasons, but here are the most important reasons we use them (compared to PA)
1. Price versus performance
2. Fortinet has a strategic security view that is focused on security requirements rather than marketing. (PA has a distinct advantage in marketing)
3. Fortinet leadership (CEO and CTO) are focused on value and long term relationships.
I strongly recommend Sophos XG Firewall.
Take a look
Sophos Firewall: Synchronized Next-Gen Firewall
I think you can go with Palo Alto...
@AnkitMittal, any insights why?
Palo Alto
@Alejandro Ortega, can you please specify some tecnical reasons why?
I would recommend Palo Alto
@reviewer1461459 , could you please explain why?