Enterprise Firewalls: Fortinet vs Palo Alto
Posted by Senior_Conclusion102@reddit | sysadmin | View on Reddit | 70 comments
All things being equal (price/specs etc) which vendor would you select and why? Are there any major gotchas or detractors from either/both?
lexbuck@reddit
I get unsolicited email from Fortinet nearly every day so for that I’d choose Pablo Alto without ever using it.
MFKDGAF@reddit
How does Palo Alto do their Global Protect management/access/licensing?
With Fortinet you have to purchase licensing for FortiClient EMS that manages your VPN clients. FortiClient EMS server used to be a Windows installation only but now is Ubuntu 22.04 installation only.
I'm hoping they come out with a container image or dedicated virtual appliance.
W3tTaint@reddit
There's a reason Palo Alto is 30-40% more expensive than Fortinet.
artekau@reddit
I would agree with this
MFKDGAF@reddit
I feel like everyone would but that's just my opinion.
tgwill@reddit
Concur. Not that Fortinet is bad. But Palo is just so much more polished.
Anything is better than Firepower
MrSanford@reddit
Fortinet is bad
unixuser011@reddit
I use firepower myself and can't see any problems with it - granted that's just me. Yea, FMC's a complete resource hog but it's pretty solid to me
bimbar@reddit
The whole firepower / asa thing is terrible.
redeuxx@reddit
What is the reason?
iammiscreant@reddit
That so many people drank the kool-aid.
MFKDGAF@reddit
I demoed both vendors back in 2019 and these were my observations.
Palo Alto is x2 the price of Fortinet.
Palo Alto use the "saves changes and commit" technique like Cisco does. I don't care for this because I've forgot to commit more times than I can count. FortiGate is just save the changes.
Palo Alto is far superior than FortiGate when it comes to application and URL database for blocking content.
I also think your question depends on what kind of enterprise environment. Are there going to be end user work stations behind it or are there only going to be servers behind it (eg: in a data center).
I've only ever used Cisco ASA's and FortiGates so I am a little biased but just from seeing my other team mates use Palo Alto it seems kind of confusing because it looks like in order to deploy an allow policy they have to go to about 3-5 different screens.
jaaydub42@reddit
Both are great platforms.
My preference leans towards the PAN.
Things the FortiGates do that can be frustrating:
Places where FortiGates shines:
unixuser011@reddit
Cisco does that, but then they have 'commit confirm'
ghost_of_napoleon@reddit
FWIW, Juniper has ‘commit confirm’.
unixuser011@reddit
I like the way JunOS does it, treats its config almost like git in the way that you can do RCS
workaccount70001@reddit
Thats what the Fortimanager is for.
darkgauss@reddit
In the newer firmware versions, you can have it either way.
gihutgishuiruv@reddit
There is no way but the FortiWay
FlyingStarShip@reddit
Wow, it took them a looooong time but glad that it is changed.
chuckbales@reddit
Ehhhh while some of their design docs are good, too much of their regular documentation consists of just tables full of "SETTING-NAME - Enabling this option enables SETTING-NAME"
magicc_12@reddit
I don't agree with shiny documentation. There were many issues with our forti, there was nothing useful in official documents or forums. Instead of Reddit, Spiceworks, Quora sites were the solutions.
CasherInCO74@reddit
Two years ago we looked at both, and went Palo Alto. Up front cost was neck and neck. Renewals on the Palo feel like more. But... WAY better than the platform we came off of. So there is that. Definitely better quality of life.
SaucyKnave95@reddit
Argh, CLIFFHANGER! What platform did you come from?
Art-Vandalay-5880@reddit
We spent months trying to get a fortigate working with Cisco Duo and couldn't. Duo support were useless. If you've got the budget go with Palo Alto.
981flacht6@reddit
Duo for VPN MFA?
Art-Vandalay-5880@reddit
Yep, fortigate 80f SSL VPN, running AD with Radius. Couldn't get cisco duo to work. Gave up and trying other products now
ewileycoy@reddit
Regardless of which you choose, always protect those management interfaces!!! Do not expose to the internet for god sakes
wreckeur@reddit
Paying special attention to this since we're kicking off a project to move from SonicWall to Fortinet.
Cormacolinde@reddit
All things being equal, Palo-Alto.
But they aren’t. Generally, if you can afford the Palo Alto (it’s usually more expensive), and you know both equally (or know neither), get the Palo-Alto. Or if you’re US government, obviously there’s no choice.
If your budget is tighter, have other Fortisauce products, or a lot of institutional knowledge go with FortiGate.
chronic414de@reddit
I wouldn't use any of them. Both have over 20 CVEs up to a score of 9.8 in the last 3 month alone. For security products this is very bad.
foofoo300@reddit
depends if you want the security flaws from the one or the other
user_is_always_wrong@reddit
so you have to do this
plump-lamp@reddit
Didn't palo just release some big ones?
Exkudor@reddit
Fortinet too. And Sophos shat the bed a while back. It's bad right about now.
Princess_Fluffypants@reddit
Sort of, but it only affected people who were doing catastrophically stupid things.
plump-lamp@reddit
Have you seen the shittysysadmin sub?
Princess_Fluffypants@reddit
Do you mean /r/networking? :D
Haha kidding. But no, I haven’t.
zeetree137@reddit
Obligatory opnsense
gihutgishuiruv@reddit
As a big fan of OPNsense: this is like replying to "should I buy a Lamborghini or a Maserati?" with "buy a skateboard".
unixuser011@reddit
You can get pretty close using zenarmor and a decent IPS/IDS - but still nothing compared to Alto or firepower
onawave12@reddit
PA all the way.
cfmdobbie@reddit
Used to run PA, moved to Fortinet.
Biggest difference for me was changes applying live. With PA you can stage changes, check the configuration, run a diff of the changes, then apply it with a useful comment. Fortinet just applies as you go.
AWESMSAUCE@reddit
Both dont look too good in recent history in terms of PA actively putting malware on customers and FG in having vulns that are absolute nightmares. We have both and are looking for replacements.
bcredeur97@reddit
Firewall is only as good as your people knowing how to use it.
Review the docs for both on doing what you need to do, choose the one that you’re most comfortable with.
VirtualPlate8451@reddit
AI is changing that.
xtc46@reddit
Do you prefer SSL VPN vulnerabilities or having no money?
IdoNotKnowYouFriend@reddit
Fortigate has so many vulnerabilities. Stay away.
wrt-wtf-@reddit
Photos or it didn’t happen. Don’t forget to list the competitors. No one is innocent, especially given the amount of code sharing with open source libraries.
wrt-wtf-@reddit
I use both and if the business is large and can afford it, I use both by design with one backing the other.
I like PA’s GlobalProtect.
If I was stuck with only one. It’s the Forti on bang for buck.
djgizmo@reddit
Palo if you have the money, Fortinet if you don’t.
981flacht6@reddit
I never had a chance to look at Palo since they quoted us so high off the bat.
I went to Fortigate over Cisco Firepower which I still believe was the best choice. However in 18 months of production, we've had about 3 instances where we went into "conserve mode" where the memory overloads and the firewall basically dumps all sessions and it tries to recover. When it happens it's disruptive but with an HA pair you can easily move over the firewalls.
There is some automation you can do to alleviate this and setup some alerts so you can get notified you don't have to be constantly watching.
After each event we went into escalations w/ our account managers so we got the right people and engineering on it to find any bugs and sort out long term solutions. So while there are bugs, they are willing to work with us and put in a good amount of effort in rectifying any major issues.
ranhalt@reddit
Checkpoint?
Shington501@reddit
Who’s buying, that’s the real question. Not everyone needs the best, enterprise features to secure their business. Most businesses would be fine with Foti…Palo has a stronger eco system
Conscious-Glove-437@reddit
Its not even close, palo is far superior in every regard.
JiggityJoe1@reddit
It depends. If you just want a firewall to route and secure traffic, fortigate is great. If you need VPN fortiEMS and FortiClient blows. It works, but nothing like Palos GlobalProtect. Forigate is normally cheaper, so if I didn't need a VPN , I would go. Otherwise, go with Palo extra cost would be worth it.
BrainWaveCC@reddit
You will do fine with either product, as they are leaders in enterprise security. Both have gotchas that you will see when you get deep into their ecosystems, but they are different gotchas. so it evens out.
Palo Alto costs more. Sometimes that cost feels warranted, but sometimes it doesn't.
I've supported and managed both, and if it is coming out of my budget, I'd go with Fortinet to drag those $$$ out more. If it is paid for by someone else (other department, etc), I'm ambivalent.
Outrageous-Insect703@reddit
The way I look at it, no one is fired for buying Palo Alto or Cisco
No_Profile_6441@reddit
PAN all the way
Tourman36@reddit
Fortishit with their zero day VPN vulnerabilities and being compromised or Palo Alto who doesn’t have zero days every week… tough choice.
eric-price@reddit
Meanwhile PA patched theirs yesterday
https://www.darkreading.com/cyberattacks-data-breaches/palo-alto-networks-patches-critical-zero-day-bug-firewalls
But you're right they're not every week. Just this week.
xXNorthXx@reddit
Outside of the management plane, Palo has had very few issues over the years. That being said, they did have some ugly GP issues within the last 2yrs.
Palo code quality isn’t what it used to be, years ago it was more stable and part of it I get where they keep trying to put more and more code on the platform is going to introduce issues.
Whatever model Palo you have quoted, it can handle whatever the spec sheet says for performance with everything turned on. Fortigates work well too but always oversize slightly as the throughput numbers are a bit off when a bunch of features are enabled.
PBandCheezWhiz@reddit
I was a server/storage guy almost my entire career. I got that locked down and then due to other reasons we fired our network guy.
We have been in full on Fortinet. Gates, APs, switches, analyzers etc. I love it and have a few certs with them now.
bb502@reddit
Search for Fortinet vulnerability and go back 2 years. Next week after you've looked through the list (it will take that long) you decide.😉
Space_Goblin_Yoda@reddit
If you want to integrate your firewalls with a SOC, go with PA. their logging is superior and it's quite transparent.
caponewgp420@reddit
I manage both right now and prefer the fortigate but that could just be because I’ve used it more. I like the no commit on Fortigate but you do need to be a little more careful. Pricing for the Palo with licensing was a few thousand more.
people_t@reddit
Doesn't matter. I have used both, I personally prefer Palo but they both do the same stuff just different ways/names they use. Whatever you pick make them include proper training credits and do the training.
BitOfDifference@reddit
Like fortinet, the interface is mostly intuitive, the logs show lots of information, upgrades are rather simple, HA actually works and is a seamless hand off during upgrades/failover. Renewal time is tough as they price stuff pretty high, so get 3-5 years baked in up front. Then replace the hardware when its up, much cheaper than renewing the support on the hardware. Seems they want everyone on the newest gear price wise. They also make stuff way faster with each gen. Easy to VPN from one to another as well.
Holmesless@reddit
Logs in PA are great. Rarely need to jump into cli.
cantstandmyownfeed@reddit
Been a Fortinet shop for 10+ years and no major complaints. They're easy to work with, intuitive interfaces, and their support is decent.