Fortinet vs Cisco

Hi all,

Not to stir up a fanboy throwdown, just a genuine question. I had a sales guy come in here and pitch me some fortigate firewalls at me. I'm not really a Cisco or WAN guy so I was hoping some of my good friends on TE could clue me in on information.

Which is better: Fortigate or ASA? I've had a fortigate firewall that I managed about 5 years ago and I hated it. Is it any better?

Features desired:
Intrusion Detection/Prevention
Data Loss Prevention
Outbound port blocking

Any other features I should be looking at? I know the fortigate will be much cheaper, but it may not be as valuable.

Currently we have Cisco 1700 routers that do have some firewall rules set up on them. But from my understanding, they are not as featured as a PIX, ASA, or Fortigate. The sales guy recommended I put the fortigates behind my cisco routers.

Any thoughts?

Thanks,
Subl1m1nal

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

it_consultant

I know people who swear by fortinet, to me it looks like its in the same class as Watchguard which is what my business uses. I prefer ASA but for the price and capability I think the fortinet would probably be a good bet for you. You could also look into using the "Classic" firewall thats available in the cisco routers you own, that firewall is actually fairly well featured.

Forsaken_GA

fortinet's are wonderful toys, and I much prefer them over ASA's

RTmarc

Forsaken_GA wrote: »

fortinet's are wonderful toys, and I much prefer them over ASA's

I'm in this club.

By the way, don't put FortiGates in the same category as the Firebox. Watchguard has some of the most backwards logic I've ever encountered.

msteinhilber

I know you didn't mention these specifically but thought I would toss it out there as I've jumped head first into them and have grown to be quite fond of them. We ended up looking into Juniper and tried out their SRX gateways and after a week or two of testing ended up ordering 40 SRX100's and a SRX240 for our corporate office. Once I got used to Junos I found myself feeling more comfortable on Juniper gear than I had with Cisco and I have a lot more hands-on time with Cisco not to mention classroom and self-study time spent learning it.

Just thought I would throw another option out there. I would probably have had 40 ASA's instead since that is what I was more familiar with when we were ready to order. But at that point (few months ago) Cisco was having horrible supply issues with ASA's and they just weren't available.

Chivalry1

RTmarc wrote: »

I'm in this club.

By the way, don't put FortiGates in the same category as the Firebox. Watchguard has some of the most backwards logic I've ever encountered.

Im in the club. Check this post http://www.techexams.net/forums/general-certification/58100-fortinet-training-certification.html

Fortinets are great firewalls! i have worked with Fortinets firewalls in a corporate environment. They are not by "ANY" means in the same catogory as Watchguard Firebox. I would rather run IPTables before running that crap they call a Watchguard firewall. I am a Cisco PIX firewall guy and Fortinets are the best competition.

Lower your operational, deployment and support cost by choosing a set of Fortinet Fortigate 800 Firewalls. Think to yourself there is a reason why Fortinet has a "Fan Club"

Sidenote: From the stock market today 9/28/
Cisco closed @ 21.86 {CSCO}
Fortinet closed @ 24.36 {FTNT}

mikej412

Chivalry1 wrote: »

Sidenote: From the stock market today 9/28/
Cisco closed @ 21.86 {CSCO}
Fortinet closed @ 24.36 {FTNT}

CSCO Market Cap: 124.35B. P/E (ttm): 16.46. EPS (ttm): 1.33
FTNT Market Cap:   1.74B. P/E (ttm): 35.82. EPS (ttm): 0.68

subl1m1nal

Good stuff guys. I've always been partial to cisco since my training at school has been with cisco products. However, since school, I don't spend a lot of time working on the equipment. Set it and forget it type deal.

I don't think we'll get rid of our cisco routers. Maybe we'll put a fortigate or juniper behind the ciscos for some added security.

Thanks for the replies guys!

it_consultant

I gotta hand it to Juniper, they have some of the best firewalls I have ever seen. They aren't cheap though.

Bl8ckr0uter

mikej412 wrote: »

CSCO Market Cap: 124.35B. P/E (ttm): 16.46. EPS (ttm): 1.33
FTNT Market Cap:   1.74B. P/E (ttm): 35.82. EPS (ttm): 0.68

Owned lol!

jojopramos

+1 to Mike....

NightShade1

Fortinet Fan here also :P

dont put fortinet on watchguard category please....

mikej412 wrote: »

CSCO Market Cap: 124.35B. P/E (ttm): 16.46. EPS (ttm): 1.33
FTNT Market Cap:   1.74B. P/E (ttm): 35.82. EPS (ttm): 0.68

Cisco founded 1984...
Fortinet founded 2000...

Chivalry1 wrote: »

Im in the club. Check this post http://www.techexams.net/forums/general-certification/58100-fortinet-training-certification.html

Sidenote: From the stock market today 9/28/
Cisco closed @ 21.86 {CSCO}
Fortinet closed @ 24.36 {FTNT}

for 16 years of advantage in the market this should not be happening... shame on cisco

it_consultant

How many times has Cisco stock been split? The stock value of a company only gives you a very narrow look at there success as a company.

I will keep fortinet and WG in the same class, they are about the same price and offer the same features. Besides "backwards logic" I have not heard a decent criticism of WG yet. I don't like them because they nickel and dime you, which irritates me. As far as performance goes, haven't had an issue. I have seen them successfully mitigate internal and external threats where other firewalls would have failed.

NightShade1

it_consultant wrote: »

How many times has Cisco stock been split? The stock value of a company only gives you a very narrow look at there success as a company.

I will keep fortinet and WG in the same class, they are about the same price and offer the same features. Besides "backwards logic" I have not heard a decent criticism of WG yet. I don't like them because they nickel and dime you, which irritates me. As far as performance goes, haven't had an issue. I have seen them successfully mitigate internal and external threats where other firewalls would have failed.

Umm if you see in the Magic Quadrand from Gardner you see Fortinet really near cisco in the challenger quadrand.... even if cisco has 16 more years than fortinet in the market...

In the SMB Fortinet is the leader in there... not to mention that in the enterprise firewalls fortinet is in the challenger quadrant while watchguard is in the niche players you cant put them both in the same category...

Anyways what you think Cisco firewalls are better than fortinet ones? im assuming you think that... tell me if im wrong...

Another interesting note... Fortinet went public last year... so fortinet was owning by itselft... now just give it a few years and we will see...now they got greater financial resources....

it_consultant

My preference for firewalls (based on personal experience) is this:

Palo Alto or Checkpoint (tied for one only because Palo Altos are INCREDIBLY expensive)
Netscreen
Cisco ASA
Watchguard

I have used each of those products so I can attest to there high and low points.

As far as the value of a company is concerned, the stock price indicates how much a stock is worth right now. Which is great for investing, however it does nothing to indicate cash on hand, research and development, mergers and acquisitions, etc. which all combine to determine the actual market standing and power of a company. Thats not to say that fortinet is not an outstanding company, its to say that comparing stock prices as the sole way to indicate how well a company is doing is too narrow.

Heero

NightShade1 wrote: »

for 16 years of advantage in the market this should not be happening... shame on cisco

So if fortinet had 10 total shares at $20 each, and Cisco had 100 million shares at $10 each, Fortinet would somehow be better?

Last i checked stock price is only important when comparing it to the SAME companies previous prices, not a competitor with different amounts of stock/market capitalization.

msteinhilber

I'm sure the OP really had debating stock price, market cap, and stock split history in mind when he created this thread, wait - that's not what he asked about. Pretty sure he has plenty of information to go off from now to make a more informed decision.

Chivalry1

it_consultant wrote: »

How many times has Cisco stock been split? The stock value of a company only gives you a very narrow look at there success as a company.

I will keep fortinet and WG in the same class, they are about the same price and offer the same features. Besides "backwards logic" I have not heard a decent criticism of WG yet. I don't like them because they nickel and dime you, which irritates me. As far as performance goes, haven't had an issue. I have seen them successfully mitigate internal and external threats where other firewalls would have failed.

I think the mass majority of us here have managed these firewalls in one manner or another. Again I am basing this off "my" IT consulting experience. I have managed CISCO PIX/ASA, Netscreen, Juniper, Watchguard, Sidewinder and IPTables. I am just saying in my experience Fortinets are the best firewall solution. The majority of my experience is Cisco so the nickel and diming is not a new concept to me.

The stock reference shows customer and consumer confidence in the product regardless of the volume. Seeing that the company only went public 4th quarter last year, its amazing that the stock is worth as much. Gardner report only provides more fuel.

To get back to the main question get Fortinet and leave the pricey Cisco appliances to the corporate companies that have excess money to spend.

NightShade1

it consultant
you should try fortinet firewall if you havent... you will see they are pretty awsome...
you are the first person i know that pick watchguard over fortinet O_o

hypnotoad

Cisco Price/Earnings is 16.4
Fortinet is in the low 20's

it_consultant

NightShade1 wrote: »

it consultant
you should try fortinet firewall if you havent... you will see they are pretty awsome...
you are the first person i know that pick watchguard over fortinet O_o

I would love to try fortinet, unfortunately, like many things, firewall purchasing decisions are out of my control. I had to fight tooth and nail to get an ASA for a network I put in. The ASA was a grand cheaper than the WG and arguably a better product.

I still rip out more Sonicwalls than I would like to admit!

falcon101

Damn I love this topic since FORTIGATE Router/Firewalls are the bread an butter in our network topology.

As much as Cisco is praised (and it should be in some sense) I have nothing but love for the Forti's.

We use their 60, 100A, 200 and 110C devices all over. I have personally deployed 13 of these suckers at our Corporate and 12 branch offices. We get the CPE's (Cisco, Samsung UBIGATE and Netopia) from the ISP's and then the Forti takes care of the rest.

Few advantages are COST, support and Manageability. Setting up access policies, routes, VPN gateways etc etc has never been easier. Its amazing that how much our network infrastructure relies on these devices. Yes, we have issues where 2 of have gone down but that's what config and appliance backup are for. Although they don't offer any Net Mon software but Fireplotter is simple and just awesome for graphical network monitoring in addition to their built-in stuff.

I have not messed with their WiFi products but they look tempting. One thing i do have to admit, I have so much been spoiled with the Fortis within the last 7 years that I haven't touched a CISCO products which kinda concerns me for any future endeavors and CCNA. I guess that where CBT nuggets and TrainSignal comes in

ssampier

As mentioned Juniper is a solid product. It costs us less than Cisco with greater port density.

For instance, a Juniper SRX 240 costs I think $2,300. The Juniper SRX includes 16 Gig-E ports. They had a lighter product with 3 or 4 ports for $1,000 or so. I can't remember what version the "lighter" one was, however.

I am not a salesperson. I just had the job of picking out a firewall for 3 educational agencies and I did some simple training.

msteinhilber wrote: »

I know you didn't mention these specifically but thought I would toss it out there as I've jumped head first into them and have grown to be quite fond of them. We ended up looking into Juniper and tried out their SRX gateways and after a week or two of testing ended up ordering 40 SRX100's and a SRX240 for our corporate office. Once I got used to Junos I found myself feeling more comfortable on Juniper gear than I had with Cisco and I have a lot more hands-on time with Cisco not to mention classroom and self-study time spent learning it.

I was pretty impressed with JUNOS-ES. I never got the command line down, but I did like the web gui. It was usually pretty snappy (with the frequent small, 'bugs', however). At least it was when I used 9.4. I haven't touched one in months.

I also never setup the VPN. It wasn't a huge priority and I had easier options. How much was the VPN per user, if you don't mind my asking?

cablegod

ssampier wrote: »

As mentioned Juniper is a solid product. It costs us less than Cisco with greater port density.

For instance, a Juniper SRX 240 costs I think $2,300. The Juniper SRX includes 16 Gig-E ports. They had a lighter product with 3 or 4 ports for $1,000 or so. I can't remember what version the "lighter" one was, however.

I am not a salesperson. I just had the job of picking out a firewall for 3 educational agencies and I did some simple training.

I was pretty impressed with JUNOS-ES. I never got the command line down, but I did like the web gui. It was usually pretty snappy (with the frequent small, 'bugs', however). At least it was when I used 9.4. I haven't touched one in months.

I also never setup the VPN. It wasn't a huge priority and I had easier options. How much was the VPN per user, if you don't mind my asking?

I run an all Juniper gear shop, SSG/SRX firewalls, SA SSL VPN's, and EX series switches. The VPN on the SRX/SSG's may work, but I find it much simpler for end-user VPN to use the SSL VPN appliances from Juniper. They work absolutely GREAT. Worth every cent, just like the rest of their products that we use. Juniper made a believer out of me, and I was dyed-in-the-wool Cisco 5+ years ago. I like Juniper so much, I even bought Juniper stock after our "conversion". Funny, but true

Forsaken_GA

it_consultant wrote: »

I still rip out more Sonicwalls than I would like to admit!

This is not a bad thing. Every time I run into one of those damn things, I want to reenact the scene from Officespace with the printer

Forsaken_GA

cablegod wrote: »

but I find it much simpler for end-user VPN to use the SSL VPN appliances from Juniper. They work absolutely GREAT.

Wholeheartedly agree, Juniper's SSL VPN appliances are easy to work with for both, the admin and the end user

ssampier

Forsaken_GA wrote: »

Wholeheartedly agree, Juniper's SSL VPN appliances are easy to work with for both, the admin and the end user

They do look pretty sweet. For our purposes Windows RRAS is just as easy (although probably not as secure).

Admittedly some of my confusion was because I was not familiar with IPSec at the time. Phases? Diffie-Helman? This VPN is related to Mayonnaise?.

cablegod

ssampier wrote: »

This VPN is related to Mayonnaise?.

Haha, I said the same thing when I was learning about IPSEC.

NightShade1

Forsaken_GA wrote: »

Wholeheartedly agree, Juniper's SSL VPN appliances are easy to work with for both, the admin and the end user

Same with Fortinet SSL... you just give the end user a tiny program they just put their user name and password and ip or FQDN of the fortigate and there you go.... you can give access to users in the whole network per user... like that user has permition to that server which is in panama and this user has this permission for this server which is in italy.... you can route those users thorugh fortigates with their logical interface in which you can even run OSPF between them.... its fantastic... you would just need one vpn access to access the whole network if you wanted....
Not only with SSL vpn you can do the same thing with IPSEC vpn....

I dont know if you can do that with a watchguard... or with an ASA... or with junier
can you? i actually have no idea... anyone can enlight me if you can do these kind of things on these equipment

cablegod

NightShade1 wrote: »

Same with Fortinet SSL... you just give the end user a tiny program they just put their user name and password and ip or FQDN of the fortigate and there you go.... you can give access to users in the whole network per user... like that user has permition to that server which is in panama and this user has this permission for this server which is in italy.... you can route those users thorugh fortigates with their logical interface in which you can even run OSPF between them.... its fantastic... you would just need one vpn access to access the whole network if you wanted....
Not only with SSL vpn you can do the same thing with IPSEC vpn....

I dont know if you can do that with a watchguard... or with an ASA... or with junier
can you? i actually have no idea... anyone can enlight me if you can do these kind of things on these equipment

The Juniper does. And it does it wonderfully. Very easy to setup & configure. I think they have a demo on their website. I tied mine into AD for authentication and it's worked flawlessly 24x7 ever since. Basically the user browses to http://vpn.companydomain.com (if you setup your DNS that way), login with their AD username & password, and they see what I've given them access to and any pre-configured RDP/Terminal Services/SSH sessions. You can do this on a group-level as well in the "roles" and "rolemapping" sections. It has a built-in WebEx like tool called SecureMeeting that works wonderfully as well that comes with (I think) 4x concurrent licenses out of the box. You can use Linux, Mac OS X, and Windows with the Juniper SSL VPN. That was a BIG selling point to us. The hostchecker is very well-done too. Meaning for Windows clients, if they do not have an approved (by the security admin) antivirus program that is running and UPDATED, it will deny access. You can get extremely granular and creative in all areas of configuration. It's been absolutely great for us. I can't recommend it highly enough.

APA

+1 for Juniper SRXs we have SRX240's deployed in our network... brilliant little things

Also have some Juniper ISG1000's delpoyed as well...run the screenos code but still rock solid firewalls...

Always been a PIX\ASA man myself but playing around with the SRX has been a very beneficial experience.

Haven't used fortinet much..... but from what I have seen and heard they are pretty handy devices.