Re: Fortinet vs. Palo Alto

[Will Froning <will.froning () GMAIL COM>]

Hello Joe,

I've pasted below part of an e-mail I sent off-list to Corbett:

======================
I assume they gave us an underpowered box. We sent them our requirements before the POC (same as we did for the PAN), 
and the box they brought just couldn't handle it. It could be they didn't have a big enough box in the product line 
when we looked, or they just screwed up. I don't have any details on the hardware since I've deleted those e-mails. 

In partial defense of FortiNet, vendors/distributors/partners in this region are idiots. Just one month ago we invited 
Meru Networks to come out for a POC. We told them if it was successful we would consider replacing our existing 300+ 
APs. They missed the deadline... I mean they just had to bring in the hardware for a POC?!? The EMEA Director begged 
for a second chance (which we will give him), but wow there's a who lotta suck out here.
======================



So I don't know the hardware, but I remember their ASICs at the time were the big talking point with Palo Alto Networks 
propaganda. So it could have been just before they released an updated ASIC.

Thanks,
Will

--
Will Froning
Unix SysAdmin
Will.Froning () GMail com
MSN: wfroning () angui sh
YIM: will_froning
AIM: willfroning 
On Thursday, March 3, 2011 at 11:20 PM, Joe Guenther wrote:
Which model of Fortinet did you evaluate?
> We have a set of 3016's in HA for our edge. They work very well, but we are not on a multigig external connection... 
> and we do not use them to filter web site categories. I am very happy with these firewalls on the network edge.
>
> We also have a set of 3810's in HA with the new 4x10gig port ADM-XD4 modules as our server firewalls. It was 
> interesting as this project was designed using the older 2 port modules with the intent to push 10gig traffic over 
> the backplane/central CPU, to then realize that the architecture of the FortiGate only allow 1gig or 4gig of traffic 
> over the central CPU/backplane. The only solution was to use the 4port ADM-XD4 modules and keep the traffic within 
> the module. That was the only way to deal with multigig traffic. This works. We do IPS, and Active Directory driven 
> rules to segregate secure servers (financials & student information databases). We can do full 10gig throughput with 
> them. Our traffic levels have not reached 10gig, but we do get multigig traffic throughput on a daily basis with no 
> trouble at this point.
> Apparently the newer 3900 series firewall have been re-architected.
>
> I have found the support and especially the professional services from Fortinet to be excellent. The only complaint 
> along that line is that it takes Fortinet a long time to fix a bug in the VPN / Radius authentication. The current 
> firmware build has not been released for the 3016's - and apparently that bug has been fixed in that release. So they 
> seem to struggle there.
>
>
> Joe Guenther | Sr. Network Administrator | Olds College | 4500-50th Street | Olds, Alberta | T4H 1R6 | 403-507-7923 - 
> Office | 403-559-8340 – cell
>
> > -----Original Message-----
> > From: Will Froning [mailto:will.froning () GMAIL COM]
> > Sent: 25 February, 2011 10:32 PM
> > Subject: Re: Fortinet vs. Palo Alto
> >
> > Hello Corbett,
> >
> > We evaluated Fortinet and Palo Alto two years ago to replace our EOL'd PIX.
> > We ran a span port on our outbound traffic to the Fortinet and it died in
> > less than 1 hour.
> >
> > We picked Palo Alto Networks. :) We had a couple of growing pains the first
> > couple of months, but it has proven to be a great product with plenty of
> > power.
> >
> > Here are a few things we haven't tested yet, but want to:
> > * IPv6: The UAE NREN (Ankabut) is actively being rolled out as a dual-
> > stack, so I suspect we will have a much better idea once the summer rolls
> > in.
> > * PBR: We are waiting for our second link from the only other ISP in UAE to
> > test this out.
> > * Traffic Shaping: We are still using our Exinda, but it would be nice to
> > drop one more thing.
> > * SSL Decryption: It works, but I'm concerned about AppID digging too deep
> > and misidentifying the stuff being protected by SSL so we haven't rolled it
> > out.
> > * BGP with ZX SFPs: In theory we could drop our edge router and run our
> > links directly into the PAN with ZX modules, but that's a little scary. I
> > haven't heard of anyone trying this, but I haven't revisited this for over
> > a year.
> > * CnC detection: PAN is trying to move into the FireEye realm. Sounds nice,
> > but I suspect it is based on reactive updates instead of the VM analysis
> > FireEye performs. Not as good, but anything helps I suppose. This is new to
> > PanOS 4.0.
> >
> > Annoyances:
> > * AppID Updates: If you don't actively watch the announcements when new
> > applications have been identified, you may wake up one day to find that
> > SMTP traffic from the Ariel server is no longer going through (changed from
> > application smtp to ariel).
> > * No PPPoE: iPhones and other mobile devices are left out in the cold for
> > VPN services (_might_ be in PanOS 4.0).
> > * Not your Mom's firewall: It has been hard for some of the Cisco guys to
> > grasp that PAN rules are based on Apps not just ports. It requires the
> > networking team to have a better understanding of the services they are
> > allowing through. It's "blackboard" and "webdav" not port 80.
> >
> > I'm available if you have other questions.
> >
> > Thanks,
> > Will
> >
> > --
> > Will Froning
> > Unix SysAdmin
> > Will.Froning () GMail com
> > MSN: wfroning () angui sh
> > YIM: will_froning
> > AIM: willfroning
> > On Friday, February 25, 2011 at 6:21 PM, Consolvo, Corbett D wrote:
> > Folks,
> > >  We’re doing some firewall evaluations and was wondering if anyone has
> > any input on Fortinet vs. Palo Alto. We’re looking at them for multi-Gb
> > installations (perimeter, data center, possibly dorms) and my impression is
> > that Palo Alto is more polished but Fortinet looks to be less expensive as
> > well as providing some features (such as vulnerability assessment and
> > chassis versions) that Palo Alto doesn’t. Any feedback (especially real-
> > world experience) on either or both products would certainly be
> > appreciated.
> > > Thanks
> > > Corbett Consolvo
> > > Texas State University