Fortinet vs Cisco

APA

I want to play with some Juniper SA devices..... I've heard brilliant things.....alas I don't manage the company VPN as internal IT services looks after that and they still use Cisco SSL via the ASAs...

I must admit Anyconnect works flawlessly for us though....so I can understand the lack of pursuing Juniper SAs...

NightShade1

cablegod wrote: »

The Juniper does. And it does it wonderfully. Very easy to setup & configure. I think they have a demo on their website. I tied mine into AD for authentication and it's worked flawlessly 24x7 ever since. Basically the user browses to http://vpn.companydomain.com (if you setup your DNS that way), login with their AD username & password, and they see what I've given them access to and any pre-configured RDP/Terminal Services/SSH sessions. You can do this on a group-level as well in the "roles" and "rolemapping" sections. It has a built-in WebEx like tool called SecureMeeting that works wonderfully as well that comes with (I think) 4x concurrent licenses out of the box. You can use Linux, Mac OS X, and Windows with the Juniper SSL VPN. That was a BIG selling point to us. The hostchecker is very well-done too. Meaning for Windows clients, if they do not have an approved (by the security admin) antivirus program that is running and UPDATED, it will deny access. You can get extremely granular and creative in all areas of configuration. It's been absolutely great for us. I can't recommend it highly enough.

wow build int webex thats sounds great!!

Fortigate also got hostcheckers but i have to admit i have not tested them up.....
You dont need any licence for any of i was mentioning with fortinet.... so i guess its a way cheaper doing this with fortinet products
If you using the classicwebrowser for ssl i guess it will work also for linux and mac as well.. here

Juniper soudns really interesting...
are they really expensive? and im asking for their whole line in general... i mean switches routers etc etc

cablegod

NightShade1 wrote: »

wow build int webex thats sounds great!!

Fortigate also got hostcheckers but i have to admit i have not tested them up.....
You dont need any licence for any of i was mentioning with fortinet.... so i guess its a way cheaper doing this with fortinet products
If you using the classicwebrowser for ssl i guess it will work also for linux and mac as well.. here

Juniper soudns really interesting...
are they really expensive? and im asking for their whole line in general... i mean switches routers etc etc

In my experience, they are cheaper than Cisco. I bought 7 of their EX3200 24-GE Port PoE full Layer 3 capable switches for about $1700 each about a year ago. The comparable Cisco was much higher than that.

The SA product is not very expensive by itself. The user packs is where it starts to hurt a bit.

it_consultant

NightShade1 wrote: »

Same with Fortinet SSL... you just give the end user a tiny program they just put their user name and password and ip or FQDN of the fortigate and there you go.... you can give access to users in the whole network per user... like that user has permition to that server which is in panama and this user has this permission for this server which is in italy.... you can route those users thorugh fortigates with their logical interface in which you can even run OSPF between them.... its fantastic... you would just need one vpn access to access the whole network if you wanted....
Not only with SSL vpn you can do the same thing with IPSEC vpn....

I dont know if you can do that with a watchguard... or with an ASA... or with junier
can you? i actually have no idea... anyone can enlight me if you can do these kind of things on these equipment

WG does this as well, VPNs are very similar device to device. You get the option to route or bridge your VPN client sessions. If you route them you can use the same standard or extended ACLs that you can with regular physical interfaces. I think even in bridging mode (in the ASAs) you can set security policies between the two sets of traffic but I am not sure.

Its the client that ticks me off with WG. The SSL client is openvpn with a WG gui interface. Which is FINE except when you look at the logs to figure out why the client isn't working right, I have to go to the openvpn support page to find the answers I need.

The cisco and juniper client-less VPN software is like a dream come true. My girlfriend's work uses the cisco one, which displaced a juniper SSL appliance. The cisco works great. One of my major clients uses the Health One EMR program and they log into a site that runs the clientless juniper SSL software, excellently sweet as well.

Daniel333

When ever I get to make a decision I do a chart...
1) Will it meet my customers needs
2) Simplify their environment
3) Reduce costs
4) Politics

So it may seem freaking crazy, but ISA server more often than not met my criteria the most. Anyhow, but if I had to choose between the two I would go Cisco ASA just to keep my switches/routers etc all the same vendor.

it_consultant

Daniel333 wrote: »

When ever I get to make a decision I do a chart...
1) Will it meet my customers needs
2) Simplify their environment
3) Reduce costs
4) Politics

So it may seem freaking crazy, but ISA server more often than not met my criteria the most. Anyhow, but if I had to choose between the two I would go Cisco ASA just to keep my switches/routers etc all the same vendor.

Only a couple of years ago Juniper and Cisco had different appliances for SSL VPN and traditional firewalling. Now they combined those functions and provide for a clientless SSL vpn, talk about simplifying! Removing the client solves 95% of your problems.

Daniel333

Hopefully directaccess will make it even easier in time. Still a lot of legacy clients out there though.

subl1m1nal

Boy, I knew I'd stir up the pot with this question. Good stuff guys. I like a good debate.

webbgem

Hey All,

This thread is exactly what i needed to decide on which firewall to purchase for our small office branch.

I couln't decide between WG and Forti.
I believe after reading this I will go Forti.

I love working with Cisco firewalls, I'll just have to work my way into a job that can afford my preferences i guess.

RTmarc

Assuming WG is WatchGuard, that is probably the worst platform I've ever had to work on in my opinion.

Slowhand

it_consultant wrote: »

I still rip out more Sonicwalls than I would like to admit!

Sadly, this was the opposite case for me at a prior company. Our staff was comprised of mainly server-guys, none of whom really worked with the CLI, and we also had a partner-relationship with SonicWall. I did cheer myself up with the fact that some of the Cisco 1721 routers, PIX 501 firewalls, and Juniper Netscreen 5XP devices I tore out to replace with SonicWall TZ 170s and 180s were labelled 'old garbage devices' by my bosses and they asked me to simply toss them out. . . which I did, right into my lab.

chrisone

without disrespecting anyone on here, but i see the fans of both brands like this.

1. Those with Cisco ASA experience prefer ASA's
2. Those without Cisco ASA esperience prefer the other brands.

I myself prefer Cisco over all.

docrice

Great timing on this thread. I currently manage a couple of PIX 515e's in active / standby and given that it has pretty much been EOLed, I was considering moving onto a 5510 (seems like the natural step, right?). But that said, I've heard almost nothing but good things about Fortinet and Palo Alto. I also practically know nothing about them. It's possible this year we may finally upgrade the firewall and I'd like to see what the Fortinets are all about.

The question then becomes how easy would it be to transition from using a PIX (and the ACLing and other old ASA-specific principles) to inserting a Fortinet appliance into the mix? We also have a 5505 but we use that strictly as an SSL VPN appliance (my environment has a lot of moving parts, but is technically for a smaller userbase).

I agree what others have said about the Juniper Secure Access series. We have an SA 2000 in my environment (along with an F5 1205, old Aventail EX-750, and Check Point UTM) and I must say it's generally easy to handle, although the management interface feels a little disjointed in configuring realms with the "sub-tabs" in the GUI. But that's just me.

Interesting to hear about the WatchGuard. When you mentioned the SSL VPN client for it does both routed and bridged modes, I immediately thought, "Hey, OpenVPN does that as well."

I've heard that SonicWall appliances requires a periodical automated check-in to a public SonicWall licensing system and this isn't something that can be bypassed, even if you set up an outbound rule to prevent it. Furthermore, I heard their licensing server was DDoSed once or twice, effectively blacking out many SonicWall customers and their firewalls from operating. True?

Most of my firewall experience has been around the PIX though. While this particular issue can probably happen with any vendor, on occasion a firewall code update can change the command config syntax a bit. For example, on my home ASA I'm running the latest code 8.3(2). Apparently that NATing syntax changed from 8.2(x) and now I have to figure out how to get my remote access working. Bummer to me for not reading the release notes.

docrice

Daniel333 wrote: »

Hopefully directaccess will make it even easier in time. Still a lot of legacy clients out there though.

Speaking of DirectAccess, have you ever implemented this? I started on a project for this as a demonstration environment last year but I stopped halfway into a working setup (I screwed up the IPv6 part of it and I got busy with other things). Plus none of our customers ever queried on us about this, and we have a lot of large enterprise accounts.

deth1k

Go whith Juniper they do everything in ASIC rather than CPU (well apart from establishing sessions). They also have a separate control plane for the management so in case you're being DDOSed you'll still be able to access it unlike Cisco.

p.s im not talking about low end soho stuff.

it_consultant

RTmarc wrote: »

Assuming WG is WatchGuard, that is probably the worst platform I've ever had to work on in my opinion.

None other than, a box with lots of red spraypaint. I prefer junipers and palo altos, but the latest revs of the WG software is leaps and bounds better than a couple of years ago.

The best WG device by a long margin is their anti spam device. Of course they bought that technology when they acquired borderware.

Slowhand

As for the question at hand, I'd vote for going with a Cisco ASA. The reason is the same one I'd give over most brands: there are lots and LOTS of resources out there for configuring Cisco devices, not to mention Cisco sports the most extensive training and books on their devices than any other networking company. I don't know about others here, but I've had mostly good experiences in dealing with SMARTnet, but I've also found that most manufacturers' enterprise-level support is pretty good.

Bottom line: Cisco devices are capable of doing pretty much anything you'll need, the support is there if you get stuck, and you're bound to find a case study or a how-to online if you spend some time looking around for a similar situation to whatever you need to do. And, if nothing else, I hear there are a lot of Cisco-trained IT goons running around on TE to bug with questions.