Fortinet Vs Palo Alto - High Level View
Vložit
- čas přidán 7. 08. 2024
- I get asked a lot about which is better, a Fortinet FortiGate or a Palo Alto Firewall.
In this video we dive head first into the competition and I discuss some differences between the two.
If you like this video and would like to see performance speed test let me know and I can try to source each version and have a bake off!
Buy Hardware: bit.ly/2QZVeqh
Get Consulting: bit.ly/36FinSU
My Other Projects:
Office Of The CISO: bit.ly/3HGMH1o
Packet Llama: bit.ly/3SEX3H4
###### SOCIAL LINKS ######
Twitter: bit.ly/2WXiRAv
Facebook: bit.ly/3eigz4D
Instagram: bit.ly/3cZneAz
######################
Subscribed and liked, great content overall, thanks guru!
Great video, keep it up!
Thanks for this good video :) I have been working with palo Alto for years and am just starting with Fortigates :) a fair comparison. currently i can say, i would like to have a Pangate :) both devices have cool features
Useful comparison videos. You should continue. Thanks
Excellent information, thank you for the video, will subscribe for the help.
great video! would love to see also a comparison with check point. keep up the good work!
I’ll be drilling all the vendors
Great video! I've had the same experience -- as a freelance network/infosec engineer, I've come to rely heavily on Fortinet for SMB deployments because of the bang-for-the-buck factor. When businesses don't have a large or flexible IT budget, it's a struggle to get them to secure anything properly -- but even for small shops, Fortinet makes it relatively easy to get them to secure their network first, simply because of the security value at their fair pricepoints, instead of the usual "spend the money on securing the network only after having had a breach".
Absolutely. A more palatable up front cost helps leadership commit.
Agreed we just went to a pair of 200F models.
Great infos, thank u sir for sharing your knowledge
Really good video thanks
Was just asked to research this as we use Fortinet but there are talks to switch to Palo Alto! Thanks!
The content is undoubtedly worthy.
Appreciate the kind words
What course would you recooment to help setup firewall. I am using watchguard firewall, interested in some guidance and help
Thanks for the video. Trying to get away from Sophos firewalls (they die too often and are pretty slow)
Great video thank you
No problem
You are AWESOME !!!
its been a year now, would like to know if it's still the same
Currently using untangle / Sophos XG or pfsense at home, but looking at a PA-220 lab unit now.
I POC'd Fortinets, SonicWalls, Palo Altos, and Sophos. Fortinet's came out on top with their security scores, usability, and hugely, cost. My colleagues loves Palo Alto and always talks shit when they cant figure something out on Fortinets - I just say "gimme half of your salary so we can go Palos".
Palo is the sexy shiny object that grabs folks attention.
Wow your channel is a rare find. Please make more tutorials. I bought and expensive course on fortinet and didn’t even cover much
Thanks for the kind words. I wish I had more time to do even more. Working on streamlining some things and being able to add more variety.
how does checkpoint compare with these two
The urge I have after saw that hair, but don’t get me wrong, as usual, quality content dude !!!!!!!!
LOL
Its funny, we just completed a several weeks long POC for a customer, and the exact words from the customer regarding Panorama Vs. FortiManager were "Wow, FortiManager is SO much more clean, intuitive, and polished than PANW's, and others we've seen recently management platform". it really seems to all come down to each individual user these days, and their budget for a security solution. its like the Apple Android debate.
Funny ) You forget to say that you have to learn 3 different interfaces: GUI at FortiGate, FortiManager and FortiAnalyzer.. Panorama GUI and GUI at PA NGFW are equal by interface.
If you say so. Panorama's GUI is almost like the normal Palo Alto firewall with its templates and device groups so you don't need to learn things from the start. Also Panorama can collect logs and you do not need FortiManager/FortiAnalyzer or FortiAuthenticator as this all can be done with Panorama and the normal firewalls.
Do you have a bullet point pros, cons in general vs Checkpoint? Thx
I have used and managed all 3 including SonicWalls, Mikrotik and Sophos UTM's and they all have their own strengths and weaknesses. The easy to filter and read live log of the Sophos and Checkpoints are great but the checkpoints will drive you up the wall with just basic stuff like trying to white-list a URL and their support is not that great. They bricked our management server trying to do a storage update. Thankfully we had a backup from the night before we were able to restore but it was a huge inconvenience.
Checkpoints are also expensive for what they are.
fix the wpa3 on the 40Fwifi....just bought it and cannot use.
Nice comparison. As I've worked on a very basic level with both, I lean towards Fortinet. In setting up both to access Internet and configuring Site to Site VPNs, the time to complete these is about one half the time it takes as compared to Palo Alto. Some pieces of configurations are automatically done, which saves time. Fortinet's GUI is arranged better than Palo Alto's. Fortinet has a built-in CLI on it's firewall without having to resort to downloading a third-party terminal emulator, or switch back to the console. As far as GNS3 VMs for example, Fortinet has a satisfactory memory limit of 2 gigs while to allow Palo Alto to run in a similar fashion, takes more than twice the amount of memory. Overall, as far as the two firewalls are concerned, even without price being a determining factor, more thought has been put into the construction of Fortinet firewalls.
Palo can revert to previous config when Panorama disconnected while pushing config. Could Forti do the same with their FortiManager and Fortigate? tq
You can do the same on a FortiGate / FortiManager. Will do a video about it!
Well spoken, it could have been better with comparison table.
got a question, is it possible to own a firewall for home security? there are a lot in ebay but I bet non of them come with a license so is it even worth buying them?
You can still do some app level things without a license. If you want the full power of the box though then licensing will be required.
@@FortinetGurufor a home network, does fortinet or palo alto firewall provide enough protection? or is it just spending money for nothing?
What do you think on buying a used Palo Alto, what implications can come up with that. I wan't to build a lab and match as much to the Government infrastructure as possible to learn.
Used devices are fine as long as you can still snag support on them. Modern firewalls have licensing needs in order to use the full functionality as they rely on threat feeds and more.
Is this possible wan failover with sdwan?
Yes. Will do a video explaining.
When you compare the _price per protected megabit_ you never say what exact models do you compare and what exact functions was enabled to protect his megabit. Can you say models where you get 2$ and 7$ per Megabit? In what operational modes do you compare the devices?
FortiManager gets a thumb down from me, but fortunately the FortiGate Cloud gives us access to manage devices individually. The Global Protect VPN hosted by Palo Alto is also pretty slick and can be fairly easily protected with Duo Mobile.
I would like to talk, where can I contact you?
Hi there ,
What about the job market for both the products ? Do you think fortinet gonna beat Palo Alto in the near future ?
I would need to look at numbers but I believe Fortinet already has a market share advantage. The numbers I was told with regards to that are dated though. Market share being number of units, not number of dollars. Palo cost more and can have higher revenue numbers without shipping the same quantity of units.
@@FortinetGuru Ah ok. I started to learn Palo Alto and I have been working with Fortinet for 4 years. They technology seems to be almost the same. However palo a lot seems to be a bit complicated but I like how they have the ability to revert back, commit and more granular stuff can be done in GUI compare to Fortinet.
Mp S you can do the same with a Fortigate.
In pure Firewall play they got the volume and the lower parts of market share for sure. Palo pricing and firewall range makes it difficult to compete there. But if you look at overall portfolio - Fortinet is like a hamster in a loop. They keep churning out ASIC based platforms as fast as they can at the price of loosing focus on everything else. Rest of their portfolio is really a me-too offering let's be honest.
Palo is smarter - investing in cloud heavily (check out Prisma products), the Cortex XDR play is ambitious and looks like a new type of solution with an interesting proposition.
In the long run Palo is really focusing on enterprise and all things cloud.
Fortinet is a budget friendly sweetheart with some fundamental issues that I don't even see them trying to address. Code quality is one of them - latest code is consistently a dumpster fire even by this industry standards that are low enough you could trip over.
@@Traumatree it's by design - alpha/beta by customers so QA costs can be lowered.
Not that it's new in the industry, but Fortinet's split architecture - running custom ASIC with SW makes it a real clusterfuck. Complexity comes fast at you...
Whats about Barracuda NGFW?
Oh there will be a video.
Fortinet announces the unprecedented speed of the 4200F at 800 Gb / s in a press release. However, they show an NGFW speed of 40 Gb / s.
800 Gb / s is the Fortinet 4200F speed in L4 firewall mode, which is no longer needed in corporate networks. With the same success, you can not buy any protection.
40 Gb / s is the Fortinet 4200F speed with the analysis of L7 applications, and in Flow Mode, which they did not write about. In Proxy Mode, it is usually 2 times slower.
For comparison:
64 Gb / s - Palo Alto Networks NGFW PA-5260 Speed with L7 Application Analysis
51.5 Gb / s - Check Point 28000 speed with L7 application analysis
Threat Prevention NGFW can be up to 10 times different when you expose traffic to sessions of different lengths: short or long.
Compare:
1) 10 Gbit per second can be driven in one TCP session by downloading a 1.25 Gigabyte file in one transaction;
2) 10 Gbps per second can be driven as 10,000 TCP sessions by downloading files of 125 kilobytes.
In routers, the length of a TCP session does not affect bandwidth in such a way, and in NGFW devices it becomes very critical, because in the first case you run inside the antivirus + IPS + URL filter, etc., and in the second case, run the antivirus 10,000 times + IPS + URL is a more serious workload in one second.
When Palo Alto networks offered a measured NGFW speed on identical HTTP traffic with 64Kb transactions, everyone refused. Therefore, NSS Labs and NetSecOpen. For example, here they already began to publish such tests on different transaction sizes www.netsecopen.org/certifications
You need to compare the unit in the same priceband... a 4200F is 165k$ , a 5260 a 250k$ platform...
+ NFGW spec in Fortinet is APP+IPS vs NGFW spec in PAlo in only APP... again, you are not doing a fair comparison ;) ... So 4200F is a 135 Gbps equivalent at your 64/67 Gbps PA-5260...
@@li0n40 It means that Fortinet is 4120$ per Gigabyte (165000$/40) and Palo Alto Networks is 3850$ per Gigabyte for PA (250000$/65). So 5260 is cheaper and faster than 4200F with this prices and performance. ;-)
@@BDVSecurity Where have you found 40Gbps for NFGW on a 4200F ?. Please read datasheet carefully : APP Control for 4200F (NGFW equivalent of PA) is : Application Control Throughput (HTTP 64K) : 135 Gbps
@@BDVSecurity Because Flow is replacing proxy mode year after years, and 3/4 new deployment is done un Flow mode. I can return the question with SSL Performance on PA ? ;) Why ?
Have you ever looked at Untangle..?
its trash
We have both, the PA 3220 at the outside perimeter with the UTM licenses and GlobalProtect for the VPN. It was selected for the mobile VPN clients specifically. So far into the deployment, I am not dissapointed. The OSPF work well, upgrades had no particular issues, did have one DOA which was replaced without the (yet) activated support contract. The UI on 10.1 can be considered busy, but it's hard when it has so many features.
The FG 201F we use for the internal firewall/vlan router without UTM, and it works well, easily pushing 10gbit+. The OSPF works pertty well, but upgrades can sometimes be rough (7.0.7 -> 7.0.8). Then there are the WAD issues that bugged is from 7.0.3 to 7.0.6.
The price comparison is a bust though, the PA was 80k euro with licenses, the FG was 13k euro with just premium support. So that's not a fair comparison. Also, the boxes are hardly comparable.
The PA3220 has a genuine OOB port and management UI seperate from all forwarding planes. It doesn't look that way on the FG 201F atleast, it gave me hassle. Using in-band management here.
I’ve been trying to get my hands on a palo for ages, they won’t even call me back
The tech support is really frustrating in overseas, the third party‘s engineer is rookie
Cdw?
I supported Palo Alto Firewalls for quite a few years before a job change which introduced me to FortiGates. My personal view is FortiGates are the best firewalls out there, from an administrator perspective at least! It blows my mind that people still choose Cisco when there are much better and more affordable options out there.
Don’t even get me started on Cisco and check point. I’ve started the research for checkpoint comparisons and Jesus it isn’t close. Checkpoint makes Palo look inexpensive 😂
@@FortinetGuru I worked in a purely Cisco shop for ~15 years, that was PIX (it was a while ago), ASA, 6500, 3700, WISM and Nexus. At the time I didn't know any better and thought the kit was good but after some exposure to Palo Alto and HP switches I saw the light! ;-)
Bruh you can't even configure everything on Fortia via UI, that's why they have that CLI widget. I like some visibility knobs they have like being able to see traffic stats per ingress/egress but then tried to use on-board reporting and it's pretty much useless. Need to get FortManager and it's completely different workflow logic.
Palo is 10 times better on marketing. I bought a FG for a company I was in and Palo still came out, did a demo and left me a Pa-200 and cupcakes :) I told the person upfront I am not buying anything but that still sticks in my head
FortiGates and PA's are absolutely amazing. Keep in mind though, you'd still need someone who knows what they're doing with these devices.
I like PanOS much better than FortiOS.
Big fan of pan software
I cut my teeth on fortios, so of course I prefer that, but I’m sure panos is good too
gee i wonder which you think is better, *fortinet guru*
Software wise Palo. Cost for what you get Fortinet.
It ls like you compare the Ferrari with the Fiat.
😂
wtf this guy talking about? The firewall throughput advantage is because Palo Alto is L7 only and who does L7 only in these days anyways. The specs of the fortigate firewall looks promising but I promise you, if you enable all the features on a Fortigate on all the rules(even the block rules) that appliance will die.
Panorama license also isn't cheap
This is true. Let’s face it though...fortiguard keeps creeping up
Fortinet has nothing on Palo Alto.. I have worked with both vendors and one thing that is absolutely clear is that when you looking at cost factor you'd probably go with Forti but if you looking functionality and better security Palo all the way...
Would you ever advise Fortinet on an electrical substation OT environment?
I have my NSE 4 etc and I will never go back to Fortinet. It's cheaper, but since I work at an FI where down time needs to be minimal, fortinet is a poor option. They are still way less stable and more buggy, and there are constantly vulnerabilities needing to be patched. Our Palo has sat there for months not needing maintenance. It also didn't have a backdoor built in.
PICTURES MY GUY
I've worked with Palo, Checkpoint, Cisco, Forcepoint, Sonic, Sophos and Fortinet and they had pro's and cons. I do like Fortinet for their price, I've rolled out it out at two different companies and for that price it's really hard to justify many others but companies like Palo Alto always are able to stay as a great contender while Checkpoint is that white glove and Cisco is... well... Cisco. Fortinet, has that price point, while some products are not as mature, I'm good friends with a guy with Cisco Viptella and after a late night of 'unf*cked this patch!', yeah, Fortinet's issues aren't that bad for it's price.
And how about sonicwall from your perspective?
Add more numbers and outside sources. While you did a great job balancing the two with accurate personal assessments, numbers help people. I would also get a “Palo Guy” to do the video with you. Way more eyes on something like that. I can introduce you to one if you’d like.
Hey James, may be worth a live stream or a podcast I suppose!
Where i work are planning to change to Fortinet in AP,switches and FW(for the price). but the interface sucks, you can do almost nothing in the GUI... honestly, we have a palo alto 32xx. and only with the website documentation and videos of youtube, i already know how to use it, without even use the terminal i can do whatever (im new in the firewall administration).... but with forti...bleh.... its a like a mac....not very intuitive..a lot..., poor documentation and video.. and you are the only one that post video..LOL.... the company need to get better...
X forward not supporting, on dns query if the request comes from dns server fortigate unable to found the actual host who genrate the query, cost is also hide fortigate asking about diff cost for every license and many type of support... performance is very poor firewall going in conservative mode
We let our f5 load balancers handle xff/true-ip so thats not an issue for us. As for DNS query, havent had that issue before. Not sure what version you were playing with. We running on 1500Ds, 500e and 80e's. Conserve mode? Maybe you under spec'd your firewall for the wrong environment?
Yes, I had the same issue with a HA cluster of 80E running 6.2.3 going in Conserve mode over the night when there was NO traffic. Mem usage was above 75% !! I scheduled a daily reset on IPS sensor , now memory is at 66-70% while there are just a couple of remote VPN users. Bad user experience.
@@adipapaianus There's your issue, No one should be running 6.2.x in production! Stick with 6.0.8 until 6.2.4 is stable/tested
@@bryancromwell9625 Well if there is no known bug, it could be something else, so maybe your advice is not the solution.
We are China Supplier of Cisco-HPE-Dellemc- Oracle-Supermicro-Lenovo-IBM-Brocade-Supermicro-H3C- Huawei -F5- Juniper-Fortinet
I thought it says fortnite
both offers laughable protections tho, once cyberattacks get in the network.. all you got to do is SHUTDOWN your network LOL, it's written in both of their guidelines.
what would you suggest? please dont say xdr lol
Sorry that you keep getting Fortnite comments. I bet it’s annoying
WTF wth that hair bro?
😂
Palo is only better than Fortinet when it comes to marketing. Palo has the WORST support across ALL all of IT. Hold times are avg 1.5 hrs on a normal day. Been that way for at least 5 yrs.
It was close to that when we deployed them
1.5 hrs ! Not acceptable when a customer is breathing down your neck.
Palo Alto Networks is better than Fortinet
We will agree to disagree when it comes to TCO. I have ran both and I can't personally justify the premium vs performance difference.
your haircut is soooo distracting
Sorry for partying fake RDJ. 😂
pfSense i $0 per Gbit 😁😁😁