Home page logo

educause logo Educause Security Discussion mailing list archives

Re: Checkpoint Vs. Palo Alto Vs. Fortinet
From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Fri, 1 Nov 2013 17:45:52 -0500

Hi Allan. I might be able to provide a little information for you on this topic. I want to be up front though, I work for a vendor who sells all three of these products. That said, I spent 6 years managing a Check Point infrastructure for a college, 18 months managing a Fortinet infrastructure for a power company, and another year managing Palo Alto in my own home. I've also been consulting on Check Point and Palo Alto for the last 18 months.

This is my own personal opinion and not that of my company. My favorite of the three is Palo Alto. They have some growing up to do, but I believe they are making great strides, especially in the newer versions. I often find that the system works with few issues. The only real issue I have had with the system is in respect to system load. Randomly my PA-200 will become very slow on the management side. The data side seems to continue just fine. I believe it is because I am running a lot of different features on such a small box. Under normal use, the system is great. Troubleshooting the system can occasionally be a pain, but it is nothing compared to Check Point.

On the other hand (and again, my personal opinion) Fortinet severely lacks. I have not tried the newer software, but I know on the 30+ devices I was using in the past, they were always overloaded even though the devices were rated for significantly more traffic than was passing through the system. We were always having firewall related issues of some sort or another. I have a brand new FortiWiFI 60C sitting on my desk waiting for testing, but I haven't gotten to it yet. Maybe it will change my mind.

As far as Check Point, they definitely have their place and once they are up and running they continue running. My biggest three issues with Check Point is with upgrades, feature changes, and troubleshooting. Upgrades are a serious pain in the rear. There are a lot of things that have to be manually upgraded or migrated to new hardware because the upgrade process doesn't do it for you. They will change how things work from version to version, which may cause issues. (AD replication negotiation immediately comes to mind). Lastly, troubleshooting is a big pain because traffic is processed in so many different ways that it becomes difficult to figure out. I was recently dealing with what should have been a simple fix, but it took Check Point themselves nearly 3 months to figure it out. On the plus side, Check Point has a great management dashboard and is a good system for non-techies since they probably won't be doing their own troubleshooting anyway.

Those are just my opinions on each. All have their pros and cons though.

Nathaniel Hall

On 11/1/2013 5:05 PM, Allan Nelson wrote:


My institution is currently reviewing its firewall strategy with the aim of upgrading/replacing our current firewall infrastructure. We are currently a Checkpoint shop, with devices providing both Advanced Networking and firewalling (UTM) capabilities. We recently met with reps from Palo Alto and Fortinet and on the surface they both seem to provide viable, possibly even cheaper alternatives. I just wanted to hear from the group of any experiences with Palo Alto and/or Fortinet to help us in our decision making. We currently have a combination of CP 9075s, 5075s and 576s deployed at our main and satellite campuses.


Allan Nelson

Manager, Security and Governance

University of Trinidad and Tobago

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]