Fortinet vs Cisco

subl1m1nalsubl1m1nal Member Posts: 176 ■■■□□□□□□□
Hi all,

Not to stir up a fanboy throwdown, just a genuine question. I had a sales guy come in here and pitch me some fortigate firewalls at me. I'm not really a Cisco or WAN guy so I was hoping some of my good friends on TE could clue me in on information.

Which is better: Fortigate or ASA? I've had a fortigate firewall that I managed about 5 years ago and I hated it. Is it any better?

Features desired:
Intrusion Detection/Prevention
Data Loss Prevention
Outbound port blocking

Any other features I should be looking at? I know the fortigate will be much cheaper, but it may not be as valuable.

Currently we have Cisco 1700 routers that do have some firewall rules set up on them. But from my understanding, they are not as featured as a PIX, ASA, or Fortigate. The sales guy recommended I put the fortigates behind my cisco routers.

Any thoughts?

Thanks,
Subl1m1nal
Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure

Plans for 2010: MCITP:EA and CCNA
70-648 - Done
70-643 - In progress
70-647 - Still on my list
70-680 - Still on my list

www.coantech.com
www.thecoans.net
www.facebook.com/tylercoan
www.twitter.com/tylercoan
www.linkedin.com/users/tylercoan
«1

Comments

  • it_consultantit_consultant Member Posts: 1,903
    I know people who swear by fortinet, to me it looks like its in the same class as Watchguard which is what my business uses. I prefer ASA but for the price and capability I think the fortinet would probably be a good bet for you. You could also look into using the "Classic" firewall thats available in the cisco routers you own, that firewall is actually fairly well featured.
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    fortinet's are wonderful toys, and I much prefer them over ASA's
  • RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    fortinet's are wonderful toys, and I much prefer them over ASA's

    I'm in this club.

    By the way, don't put FortiGates in the same category as the Firebox. Watchguard has some of the most backwards logic I've ever encountered.
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    I know you didn't mention these specifically but thought I would toss it out there as I've jumped head first into them and have grown to be quite fond of them. We ended up looking into Juniper and tried out their SRX gateways and after a week or two of testing ended up ordering 40 SRX100's and a SRX240 for our corporate office. Once I got used to Junos I found myself feeling more comfortable on Juniper gear than I had with Cisco and I have a lot more hands-on time with Cisco not to mention classroom and self-study time spent learning it.

    Just thought I would throw another option out there. I would probably have had 40 ASA's instead since that is what I was more familiar with when we were ready to order. But at that point (few months ago) Cisco was having horrible supply issues with ASA's and they just weren't available.
  • Chivalry1Chivalry1 Member Posts: 569
    RTmarc wrote: »
    I'm in this club.

    By the way, don't put FortiGates in the same category as the Firebox. Watchguard has some of the most backwards logic I've ever encountered.

    Im in the club. Check this post http://www.techexams.net/forums/general-certification/58100-fortinet-training-certification.html

    Fortinets are great firewalls! i have worked with Fortinets firewalls in a corporate environment. They are not by "ANY" means in the same catogory as Watchguard Firebox. I would rather run IPTables before running that crap they call a Watchguard firewall. I am a Cisco PIX firewall guy and Fortinets are the best competition.

    Lower your operational, deployment and support cost by choosing a set of Fortinet Fortigate 800 Firewalls. Think to yourself there is a reason why Fortinet has a "Fan Club" ;)

    Sidenote: From the stock market today 9/28/
    Cisco closed @ 21.86 {CSCO}
    Fortinet closed @ 24.36 {FTNT}
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • mikej412mikej412 Member Posts: 10,086 ■■■■■■■■■■
    Chivalry1 wrote: »
    Sidenote: From the stock market today 9/28/
    Cisco closed @ 21.86 {CSCO}
    Fortinet closed @ 24.36 {FTNT}
    CSCO Market Cap: 124.35B. P/E (ttm): 16.46. EPS (ttm): 1.33
    FTNT Market Cap:   1.74B. P/E (ttm): 35.82. EPS (ttm): 0.68
    
    :mike: Cisco Certifications -- Collect the Entire Set!
  • subl1m1nalsubl1m1nal Member Posts: 176 ■■■□□□□□□□
    Good stuff guys. I've always been partial to cisco since my training at school has been with cisco products. However, since school, I don't spend a lot of time working on the equipment. Set it and forget it type deal.

    I don't think we'll get rid of our cisco routers. Maybe we'll put a fortigate or juniper behind the ciscos for some added security.

    Thanks for the replies guys!
    Currently Working On: 70-643 - Configuring Windows Server 2008 Applications Infrastructure

    Plans for 2010: MCITP:EA and CCNA
    70-648 - Done
    70-643 - In progress
    70-647 - Still on my list
    70-680 - Still on my list

    www.coantech.com
    www.thecoans.net
    www.facebook.com/tylercoan
    www.twitter.com/tylercoan
    www.linkedin.com/users/tylercoan
  • it_consultantit_consultant Member Posts: 1,903
    I gotta hand it to Juniper, they have some of the best firewalls I have ever seen. They aren't cheap though.
  • Bl8ckr0uterBl8ckr0uter Inactive Imported Users Posts: 5,031 ■■■■■■■■□□
    mikej412 wrote: »
    CSCO Market Cap: 124.35B. P/E (ttm): 16.46. EPS (ttm): 1.33
    FTNT Market Cap:   1.74B. P/E (ttm): 35.82. EPS (ttm): 0.68
    

    Owned lol!
  • jojopramosjojopramos Member Posts: 415
    +1 to Mike....
  • NightShade1NightShade1 Member Posts: 433 ■■■□□□□□□□
    Fortinet Fan here also :P

    dont put fortinet on watchguard category please....
    mikej412 wrote: »
    CSCO Market Cap: 124.35B. P/E (ttm): 16.46. EPS (ttm): 1.33
    FTNT Market Cap:   1.74B. P/E (ttm): 35.82. EPS (ttm): 0.68
    


    Cisco founded 1984...
    Fortinet founded 2000...
    Chivalry1 wrote: »
    Im in the club. Check this post http://www.techexams.net/forums/general-certification/58100-fortinet-training-certification.html

    Sidenote: From the stock market today 9/28/
    Cisco closed @ 21.86 {CSCO}
    Fortinet closed @ 24.36 {FTNT}
    for 16 years of advantage in the market this should not be happening... shame on cisco
  • it_consultantit_consultant Member Posts: 1,903
    How many times has Cisco stock been split? The stock value of a company only gives you a very narrow look at there success as a company.

    I will keep fortinet and WG in the same class, they are about the same price and offer the same features. Besides "backwards logic" I have not heard a decent criticism of WG yet. I don't like them because they nickel and dime you, which irritates me. As far as performance goes, haven't had an issue. I have seen them successfully mitigate internal and external threats where other firewalls would have failed.
  • NightShade1NightShade1 Member Posts: 433 ■■■□□□□□□□
    How many times has Cisco stock been split? The stock value of a company only gives you a very narrow look at there success as a company.

    I will keep fortinet and WG in the same class, they are about the same price and offer the same features. Besides "backwards logic" I have not heard a decent criticism of WG yet. I don't like them because they nickel and dime you, which irritates me. As far as performance goes, haven't had an issue. I have seen them successfully mitigate internal and external threats where other firewalls would have failed.

    Umm if you see in the Magic Quadrand from Gardner you see Fortinet really near cisco in the challenger quadrand.... even if cisco has 16 more years than fortinet in the market...

    In the SMB Fortinet is the leader in there... not to mention that in the enterprise firewalls fortinet is in the challenger quadrant while watchguard is in the niche players you cant put them both in the same category...

    Anyways what you think Cisco firewalls are better than fortinet ones? im assuming you think that... tell me if im wrong...

    Another interesting note... Fortinet went public last year... so fortinet was owning by itselft... now just give it a few years and we will see...now they got greater financial resources....
  • it_consultantit_consultant Member Posts: 1,903
    My preference for firewalls (based on personal experience) is this:

    Palo Alto or Checkpoint (tied for one only because Palo Altos are INCREDIBLY expensive)
    Netscreen
    Cisco ASA
    Watchguard

    I have used each of those products so I can attest to there high and low points.

    As far as the value of a company is concerned, the stock price indicates how much a stock is worth right now. Which is great for investing, however it does nothing to indicate cash on hand, research and development, mergers and acquisitions, etc. which all combine to determine the actual market standing and power of a company. Thats not to say that fortinet is not an outstanding company, its to say that comparing stock prices as the sole way to indicate how well a company is doing is too narrow.
  • HeeroHeero Member Posts: 486
    for 16 years of advantage in the market this should not be happening... shame on cisco
    So if fortinet had 10 total shares at $20 each, and Cisco had 100 million shares at $10 each, Fortinet would somehow be better?

    Last i checked stock price is only important when comparing it to the SAME companies previous prices, not a competitor with different amounts of stock/market capitalization.
  • msteinhilbermsteinhilber Member Posts: 1,480 ■■■■■■■■□□
    I'm sure the OP really had debating stock price, market cap, and stock split history in mind when he created this thread, wait - that's not what he asked about. Pretty sure he has plenty of information to go off from now to make a more informed decision.
  • Chivalry1Chivalry1 Member Posts: 569
    How many times has Cisco stock been split? The stock value of a company only gives you a very narrow look at there success as a company.

    I will keep fortinet and WG in the same class, they are about the same price and offer the same features. Besides "backwards logic" I have not heard a decent criticism of WG yet. I don't like them because they nickel and dime you, which irritates me. As far as performance goes, haven't had an issue. I have seen them successfully mitigate internal and external threats where other firewalls would have failed.


    I think the mass majority of us here have managed these firewalls in one manner or another. Again I am basing this off "my" IT consulting experience. I have managed CISCO PIX/ASA, Netscreen, Juniper, Watchguard, Sidewinder and IPTables. I am just saying in my experience Fortinets are the best firewall solution. The majority of my experience is Cisco so the nickel and diming is not a new concept to me.

    The stock reference shows customer and consumer confidence in the product regardless of the volume. Seeing that the company only went public 4th quarter last year, its amazing that the stock is worth as much. Gardner report only provides more fuel.

    To get back to the main question get Fortinet and leave the pricey Cisco appliances to the corporate companies that have excess money to spend.
    "The recipe for perpetual ignorance is: be satisfied with your opinions and
    content with your knowledge. " Elbert Hubbard (1856 - 1915)
  • NightShade1NightShade1 Member Posts: 433 ■■■□□□□□□□
    it consultant
    you should try fortinet firewall if you havent... you will see they are pretty awsome...
    you are the first person i know that pick watchguard over fortinet O_o
  • hypnotoadhypnotoad Banned Posts: 915
    Cisco Price/Earnings is 16.4
    Fortinet is in the low 20's
  • it_consultantit_consultant Member Posts: 1,903
    it consultant
    you should try fortinet firewall if you havent... you will see they are pretty awsome...
    you are the first person i know that pick watchguard over fortinet O_o

    I would love to try fortinet, unfortunately, like many things, firewall purchasing decisions are out of my control. I had to fight tooth and nail to get an ASA for a network I put in. The ASA was a grand cheaper than the WG and arguably a better product.

    I still rip out more Sonicwalls than I would like to admit!
  • falcon101falcon101 Member Posts: 51 ■■□□□□□□□□
    Damn I love this topic since FORTIGATE Router/Firewalls are the bread an butter in our network topology.

    As much as Cisco is praised (and it should be in some sense) I have nothing but love for the Forti's.


    We use their 60, 100A, 200 and 110C devices all over. I have personally deployed 13 of these suckers at our Corporate and 12 branch offices. We get the CPE's (Cisco, Samsung UBIGATE and Netopia) from the ISP's and then the Forti takes care of the rest.

    Few advantages are COST, support and Manageability. Setting up access policies, routes, VPN gateways etc etc has never been easier. Its amazing that how much our network infrastructure relies on these devices. Yes, we have issues where 2 of have gone down but that's what config and appliance backup are for. Although they don't offer any Net Mon software but Fireplotter is simple and just awesome for graphical network monitoring in addition to their built-in stuff.

    I have not messed with their WiFi products but they look tempting. One thing i do have to admit, I have so much been spoiled with the Fortis within the last 7 years that I haven't touched a CISCO products which kinda concerns me for any future endeavors and CCNA. I guess that where CBT nuggets and TrainSignal comes in icon_smile.gif
  • ssampierssampier Member Posts: 224
    As mentioned Juniper is a solid product. It costs us less than Cisco with greater port density.

    For instance, a Juniper SRX 240 costs I think $2,300. The Juniper SRX includes 16 Gig-E ports. They had a lighter product with 3 or 4 ports for $1,000 or so. I can't remember what version the "lighter" one was, however.

    I am not a salesperson. I just had the job of picking out a firewall for 3 educational agencies and I did some simple training.
    I know you didn't mention these specifically but thought I would toss it out there as I've jumped head first into them and have grown to be quite fond of them. We ended up looking into Juniper and tried out their SRX gateways and after a week or two of testing ended up ordering 40 SRX100's and a SRX240 for our corporate office. Once I got used to Junos I found myself feeling more comfortable on Juniper gear than I had with Cisco and I have a lot more hands-on time with Cisco not to mention classroom and self-study time spent learning it.

    I was pretty impressed with JUNOS-ES. I never got the command line down, but I did like the web gui. It was usually pretty snappy (with the frequent small, 'bugs', however). At least it was when I used 9.4. I haven't touched one in months.

    I also never setup the VPN. It wasn't a huge priority and I had easier options. How much was the VPN per user, if you don't mind my asking?
    Future Plans:

    JNCIA Firewall
    CCNA:Security
    CCNP

    More security exams and then the world.
  • cablegodcablegod Member Posts: 294
    ssampier wrote: »
    As mentioned Juniper is a solid product. It costs us less than Cisco with greater port density.

    For instance, a Juniper SRX 240 costs I think $2,300. The Juniper SRX includes 16 Gig-E ports. They had a lighter product with 3 or 4 ports for $1,000 or so. I can't remember what version the "lighter" one was, however.

    I am not a salesperson. I just had the job of picking out a firewall for 3 educational agencies and I did some simple training.



    I was pretty impressed with JUNOS-ES. I never got the command line down, but I did like the web gui. It was usually pretty snappy (with the frequent small, 'bugs', however). At least it was when I used 9.4. I haven't touched one in months.

    I also never setup the VPN. It wasn't a huge priority and I had easier options. How much was the VPN per user, if you don't mind my asking?

    I run an all Juniper gear shop, SSG/SRX firewalls, SA SSL VPN's, and EX series switches. The VPN on the SRX/SSG's may work, but I find it much simpler for end-user VPN to use the SSL VPN appliances from Juniper. They work absolutely GREAT. Worth every cent, just like the rest of their products that we use. Juniper made a believer out of me, and I was dyed-in-the-wool Cisco 5+ years ago. I like Juniper so much, I even bought Juniper stock after our "conversion". Funny, but true :)
    “Government is a disease masquerading as its own cure.” -Robert LeFevre
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    I still rip out more Sonicwalls than I would like to admit!

    This is not a bad thing. Every time I run into one of those damn things, I want to reenact the scene from Officespace with the printer
  • Forsaken_GAForsaken_GA Member Posts: 4,024
    cablegod wrote: »
    but I find it much simpler for end-user VPN to use the SSL VPN appliances from Juniper. They work absolutely GREAT.

    Wholeheartedly agree, Juniper's SSL VPN appliances are easy to work with for both, the admin and the end user
  • ssampierssampier Member Posts: 224
    Wholeheartedly agree, Juniper's SSL VPN appliances are easy to work with for both, the admin and the end user

    They do look pretty sweet. For our purposes Windows RRAS is just as easy (although probably not as secure).

    Admittedly some of my confusion was because I was not familiar with IPSec at the time. Phases? Diffie-Helman? This VPN is related to Mayonnaise?.
    Future Plans:

    JNCIA Firewall
    CCNA:Security
    CCNP

    More security exams and then the world.
  • cablegodcablegod Member Posts: 294
    ssampier wrote: »
    This VPN is related to Mayonnaise?.

    Haha, I said the same thing when I was learning about IPSEC.
    “Government is a disease masquerading as its own cure.” -Robert LeFevre
  • NightShade1NightShade1 Member Posts: 433 ■■■□□□□□□□
    Wholeheartedly agree, Juniper's SSL VPN appliances are easy to work with for both, the admin and the end user

    Same with Fortinet SSL... you just give the end user a tiny program they just put their user name and password and ip or FQDN of the fortigate and there you go.... you can give access to users in the whole network per user... like that user has permition to that server which is in panama and this user has this permission for this server which is in italy.... you can route those users thorugh fortigates with their logical interface in which you can even run OSPF between them.... its fantastic... you would just need one vpn access to access the whole network if you wanted....
    Not only with SSL vpn you can do the same thing with IPSEC vpn....

    I dont know if you can do that with a watchguard... or with an ASA... or with junier
    can you? i actually have no idea... anyone can enlight me if you can do these kind of things on these equipment
  • cablegodcablegod Member Posts: 294
    Same with Fortinet SSL... you just give the end user a tiny program they just put their user name and password and ip or FQDN of the fortigate and there you go.... you can give access to users in the whole network per user... like that user has permition to that server which is in panama and this user has this permission for this server which is in italy.... you can route those users thorugh fortigates with their logical interface in which you can even run OSPF between them.... its fantastic... you would just need one vpn access to access the whole network if you wanted....
    Not only with SSL vpn you can do the same thing with IPSEC vpn....

    I dont know if you can do that with a watchguard... or with an ASA... or with junier
    can you? i actually have no idea... anyone can enlight me if you can do these kind of things on these equipment

    The Juniper does. And it does it wonderfully. Very easy to setup & configure. I think they have a demo on their website. I tied mine into AD for authentication and it's worked flawlessly 24x7 ever since. Basically the user browses to http://vpn.companydomain.com (if you setup your DNS that way), login with their AD username & password, and they see what I've given them access to and any pre-configured RDP/Terminal Services/SSH sessions. You can do this on a group-level as well in the "roles" and "rolemapping" sections. It has a built-in WebEx like tool called SecureMeeting that works wonderfully as well that comes with (I think) 4x concurrent licenses out of the box. You can use Linux, Mac OS X, and Windows with the Juniper SSL VPN. That was a BIG selling point to us. The hostchecker is very well-done too. Meaning for Windows clients, if they do not have an approved (by the security admin) antivirus program that is running and UPDATED, it will deny access. You can get extremely granular and creative in all areas of configuration. It's been absolutely great for us. I can't recommend it highly enough.
    “Government is a disease masquerading as its own cure.” -Robert LeFevre
  • APAAPA Member Posts: 959
    +1 for Juniper SRXs we have SRX240's deployed in our network... brilliant little things :)

    Also have some Juniper ISG1000's delpoyed as well...run the screenos code but still rock solid firewalls...

    Always been a PIX\ASA man myself but playing around with the SRX has been a very beneficial experience.

    Haven't used fortinet much..... but from what I have seen and heard they are pretty handy devices.

    CCNA | CCNA:Security | CCNP | CCIP
    JNCIA:JUNOS | JNCIA:EX | JNCIS:ENT | JNCIS:SEC
    JNCIS:SP | JNCIP:SP
Sign In or Register to comment.