Educause Security Discussion
mailing list archives
Re: Checkpoint Vs. Palo Alto Vs. Fortinet
From: Nathaniel Hall <educause-lists () NATHANIELHALL COM>
Date: Fri, 1 Nov 2013 17:45:52 -0500
Hi Allan. I might be able to provide a little information for you on
this topic. I want to be up front though, I work for a vendor who sells
all three of these products. That said, I spent 6 years managing a Check
Point infrastructure for a college, 18 months managing a Fortinet
infrastructure for a power company, and another year managing Palo Alto
in my own home. I've also been consulting on Check Point and Palo Alto
for the last 18 months.
This is my own personal opinion and not that of my company. My favorite
of the three is Palo Alto. They have some growing up to do, but I
believe they are making great strides, especially in the newer versions.
I often find that the system works with few issues. The only real issue
I have had with the system is in respect to system load. Randomly my
PA-200 will become very slow on the management side. The data side seems
to continue just fine. I believe it is because I am running a lot of
different features on such a small box. Under normal use, the system is
great. Troubleshooting the system can occasionally be a pain, but it is
nothing compared to Check Point.
On the other hand (and again, my personal opinion) Fortinet severely
lacks. I have not tried the newer software, but I know on the 30+
devices I was using in the past, they were always overloaded even though
the devices were rated for significantly more traffic than was passing
through the system. We were always having firewall related issues of
some sort or another. I have a brand new FortiWiFI 60C sitting on my
desk waiting for testing, but I haven't gotten to it yet. Maybe it will
change my mind.
As far as Check Point, they definitely have their place and once they
are up and running they continue running. My biggest three issues with
Check Point is with upgrades, feature changes, and troubleshooting.
Upgrades are a serious pain in the rear. There are a lot of things that
have to be manually upgraded or migrated to new hardware because the
upgrade process doesn't do it for you. They will change how things work
from version to version, which may cause issues. (AD replication
negotiation immediately comes to mind). Lastly, troubleshooting is a big
pain because traffic is processed in so many different ways that it
becomes difficult to figure out. I was recently dealing with what should
have been a simple fix, but it took Check Point themselves nearly 3
months to figure it out. On the plus side, Check Point has a great
management dashboard and is a good system for non-techies since they
probably won't be doing their own troubleshooting anyway.
Those are just my opinions on each. All have their pros and cons though.
GSEC GCFW GCIA GCIH GCFA CNSE
On 11/1/2013 5:05 PM, Allan Nelson wrote:
My institution is currently reviewing its firewall strategy with the
aim of upgrading/replacing our current firewall infrastructure. We are
currently a Checkpoint shop, with devices providing both Advanced
Networking and firewalling (UTM) capabilities. We recently met with
reps from Palo Alto and Fortinet and on the surface they both seem to
provide viable, possibly even cheaper alternatives. I just wanted to
hear from the group of any experiences with Palo Alto and/or Fortinet
to help us in our decision making. We currently have a combination
of CP 9075s, 5075s and 576s deployed at our main and satellite campuses.
Manager, Security and Governance
University of Trinidad and Tobago