Fortigate VS Firepower for SMB. Cisco fails. list of issues.

[Hugo Drax]

Cisco touts the Firepower line as "NGFW" as if the buyer was getting a NGFW like a Fortigate. But you really dont.

SMB wants an appliance to provide the ability for admin VPN and NGFW features such as Application control etc..

Here is what you get with the Fortigate. (Cisco offers a unified FTD Image but its beta/work in progress missing features of classic ASA/ASDM setup. for example VPN Client access)

#1 VPN licenses included. Even mobile device clients (yes Cisco even charge a separate license just to use an ipad.) Cisco does include 2 licenses but they are restricted.

#2 There is no separate IPS sensor instance. which requires a Firepower Management Console VM license. you literally have to connect a third ethernet interface (mgmt) as a loopback so you can access this seperate IPS sensor instance running inside the ASA box.

#3 You get 2 fortigate token licenses included, The coolest part is the appliance will provide services for the soft/hard tokens. It is super easy to set up and have two factor authentication for a critical admin account. Super slick, it will even text you or email you the activation key and your good to go. (REAL NICE surprise Bonus)

#4 Licensing is so easy, the moment you plug in your box you get a registration screen, it connects and software packages are activated. You can even download and install updates right from the box itself. A list of versions are provided and you can pick and choose. Huge difference VS dealing with smartnet.

#5 Real DHCP server, you can even reserve addresses with a click.

#6 Device inventory, this is real slick you can see everything on your network and it organizes them by device type etc.. lots of good info and if you right click on a device you can reserve an ip address, view traffic etc.. for the device in question etc..

#7 management app for iPad, android etc.. (I had no clue such a thing existed what a nice surprise) SUPER slick and it works great WTF Cisco? You guys need to spend less on stock buybacks and more on R&D.

#8 No Crappy Antique java based ADSM.

#9 Super slick dashboard, all kinds of widgets you can put on this dashboard and you can drag them around,resize etc.. Very well done plenty of info at a glance.

#10 built in Dynamic DNS capability and very easy to use.

#11 Single pane for management, with Cisco you have to purchase a license for Firepower Management Console, set up VMware,etc.. to host this VM even to manage 1 appliance.

Now you can purchase the 5506-FTD-K9 and it will mitigate #11 and #2 but you lose the 2 free VPN licenses included with the traditional setup. The console is no where as elegant as the FortOS 6 system, night and day. It is still a work in progress. Licensing is trickier going the FTD route as well.

I will be adding to the list as I discover new features, but overall There is no way I could recommend any small business to choose a Cisco Firepower product over what Fortinet offers today.


Additional info. The 61E loafs runs much cooler than the outgoing 5506-x

Yes they even charge you extra for more capacity when it comes to sessions and things like wanting to have an redundant pair setup. (you have to purchase the security plus license)
5506-x
New sessions per second = 5000 (10K with security plus license)/ Concurrent 20K(50K with secplus lic)

Fortigate 60E Series
New sessions per second = 30,000 (600% Greater) / Concurrent 1.3 Million

5506-x
AVC/IPS = 125Mbit

60E
AVC/IPS = 250 (2x faster)

concurrent VPN client connections.
5506-x 50
60E 500 (10x higher)
VPN licensing with Cisco is EXPENSIVE.


Hardware/subscription costs
Cost. 5506-x sec plus appliance with 3 years smartnet and firepower/url filtering subscription
3794 dollars

3 years of web filtering (189 dollars a year total 567)
3 years of firepower sub 1462 dollars


Then 48 dollars per Anyconnect Apex license (10 users extra = 480 bucks)
Then 99 dollar license if you want Mobile device anyconnect

For the Fortigate 60E 3 years of support/subscriptons to everything even web filtering
Cost = 1068 dollars. No need to buy extra VPN licenses etc. And you get a superior product.

 

[thecoolnessrune]

Yep for Small Businesses the Fortigate 60E is really the superior product. The UI is better (way better), it licenses easier, and it is very obvious that the Fortigate 60E was designed with local consideration in mind with remote add-on functionality (FortiCloud), while Cisco's solution is designed with central thread administration in mind, with local sites essentially just getting a black box they can't manage.

Some of the things like your point 11 make that remote management focus of Cisco painfully (or happily) obvious, depending on your use case. For instance, Cisco has historic analysis and detection for zero day exploits. If traffic passed and got through, and was later identified as malicious, Firepower will retroactively identify and alert on that. Fortinet has no such thing. Once the traffic has passed it's immediately forgotten. Cisco can actually assess if a device is vulnerable to an exploit (for instance, if a Linux device is getting hammered from the internet for an RDP exploit, the Firepower system will actually note that in its impact assessment). The Fortinet only has the standard threat profile, it doesn't actually look to see if the device is vulnerable to the threat. That plays into the contextual awareness that Cisco can leverage, while the Fortinet can only do so if you install endpoint software on compatible systems. Fortinet is still entirely signature based, like how the MARS system worked back in the day. Again because of the appliance, Cisco Firepower can detect and deal with sandbox-aware malware. Fortinet can as well, but only if you buy the appliance or cloud solution.

That's why the Fortinet 60E is such a potent solution for small businesses. While the above concerns are big concerns, for small businesses, there's few enough systems that your general folk can wear your systems admin hat and deal with the stuff that the Fortinet doesn't cover (or the extraneous alerting). The 5506-X is an extremely competitive solution when used as a site gateway to a larger HQ Deployment, but it's extremely lackluster when used as a standalone device.

 

[Hugo Drax]

It definitely seems like Fortinet is firing on all cylinders when it comes to servicing everyone else Cisco does not care about (ie: government entities, large monolithic entities that have the "Cant be fired for buying Cisco" philosophy. Cisco reminds me of Big Blue during its the period of epic hubris within the company. They definitely offer complete soup to nuts solution. Everything from switches,cameras,ap etc.. and all can be managed from the Fortigate UTM appliance as a single pane of glass. I actually opened up one of the booklets that shipped with the unit and I was surprised to see that you can plug an iphone straight to the USB port of the unit and with the app you can restore a config, reconfigure etc. WOW That is so awesome, so if you have a unit that goes bad all you have to do is unbox, power up, plug iphone and restore config. That is so handy and will cut down immensely in field tech time, time is money It sees who ever designed the product lines at Fortinet had talked to customers etc.. and developed the products for their needs.

#12 You get 10 free Forticlient licenses, this provides Antivirus,IPS,identity,vulnerability scan,security posture NAC,VPN client,etc.. quite comprehensive and 10 licenses will cover a small shop like a dentist office etc,, with a few workstations. so when you take your laptop home you are still protected and you can push/enforce policies from your fortigate appliance. This and the free fortitoken license and the business owners laptop can be well secured.

I am pushing 80Mbit and CPU on this thing is loafing at 3% and this is with all features and logging turned on. Lots of traffic is getting punted to silicon VS software routines on the general purpose cpu. I see plenty of traffic hitting what is called SPU and nTurbo. Need to read up on what nTurbo VS SPU is.

No small business has any excuse now not to have a well secured office network. Nice to see a vendor offer a comprehensive solution across the board for the small business owners who have been shut out in the past by the big vendors. This is just like when computing was only for the big boys and the small guys shut out until the PC revolution.

Cisco reminds me of IBM in so many ways maybe in 10 years they will have a real hashed out NGFW/UTM appliance. They better wake up soon.

 

[Genx87]

Some of the vendors we are gathering SD-WAN info use Fortigate as the firewall. I evaluated them in 2014 when moving off Sonicwall. Liked what I saw, but at the time felt it was too close to Sonicwall for logging purposes. Ended up going with Sophos. Looking forward to see this in a demo.

 

[bbhaag]

How good is Fortigate at keeping up on PCI compliance standards? We have two workstations and four credit card terminals on the network. Our processor uses a company called Trustwave to scan our network monthly to check for PCI compliance standards.
I looked over the data sheets for some of the fortigate firewalls and it looks like they are PCI compliant but I'm curious how well they keep up on it.

 

[Hugo Drax]

Some of the vendors we are gathering SD-WAN info use Fortigate as the firewall. I evaluated them in 2014 when moving off Sonicwall. Liked what I saw, but at the time felt it was too close to Sonicwall for logging purposes. Ended up going with Sophos. Looking forward to see this in a demo.

In 2014 I was not sold on Fortigate yet. I have had the opportunity to play around and test the HW but I was a bit underwhelmed. I am sold on it now though, I just added the AP to mix. It was so easy to set up I was actually able to set it up on my iphone using the fortiexplorer app. When you plug in an AP it detects it and will show up as an unauthorized Access Point, all you do is authorize it, it gets an IP address and checks for updates and you can do the update. They make it so easy. You can set up a complete SMB network rather quickly and get it up and running.

Cisco is lightyears behind them when it comes to the Small to medium-size business market. . All the Fortinet products just fit together like pieces in a puzzle and being able to use your iphone to quickly get things done is very nice. Another cool feature is the built in auditing feature that would look at your overall network configuration and give it a rating and provide all kinds of tips on how to improve your rating, you then have the option to apply the fixes right from the management screen. There is no excuse anymore to set up a poorly secured and configured SMB network. The Forticlient is great for locking down the laptops and only allowing them access if they comply with the proper security posture you set up.

If I was a contractor or in the business of setting and maintaining up businesses (such as restaurants,law firms,doctors offices etc..) I would definitely go 100% Fortinet at this stage, its all turnkey and easy to get going and keep running.

 

[Hugo Drax]

Setting up a Trunk port and then the network policies and port forwarding is much simpler on the Fortigate than on the ASA. Port forwarding is much more straight forward on the Fortigate. I went and set up a NUC workstation and plugged it into the trunk port, one Vlan being the DMZ and create a network policy along with an IPS policy tailored to HTTP server. I spooled up in Virtualbox a Ubunu server along with the LAMP stuff so I can run a Lychee photo sharing website. it all works well and within 24 hours the attacks begin and the IPS doing its job blocking all kinds of stuff, from different vulnerability assessment scans against my site. It would pick up on Zemu/Masscan/Nikto/Muiblackcat along with other kinds of attacks. I set the policy to do a packet capture for each event, its nice to be able to see the packet capture within the management UI or by clicking download and viewing it via wireshark. I really appreciate how easy and straightforward everything is with this appliance NGFW it just works and does not tie your time up just trying to keep it up and running etc.

So far so good no crashes or lockups and its been running for 17+ days It is amazing to see how quickly anything you expose to the internet begins to attract the bad actors who then quickly start running tools to pick at the lock. At this point there is no excuse for any small business not running a secure network, These guys throw it all, from 10 free clients that provide AV protection etc, two factor authentication in a box with 2 free clients etc..

You can buy 10 hard tokens for 180 bucks which is not bad at all I remember back in the days the RSA SecureID tokens were priced way out of proportion it was like 100 bucks a user for 3 years and then you needed to set up servers etc... We have gone a long way from those days.

One feature I really like is the ACL with packet capture, if you are setting up a honeypot and want to grab everything interesting you are well served with this option.

 

[bbhaag]

I'm looking at purchasing the Fortigate-30E but have a few questions. You guys seem to know more about them so could you please help me out. I'm struggling with PCI compliance issues and is seems that Fortigate offers a low cost solution for an SMB. What I need is an easy to manage solution that is budget friendly. I see that Amazon has the FORTIGATE-30E with one year UTM for around $400 which seems reasonable but I have a few questions.

What is the difference between UTM and ENT? It would be deployed in a small business that has four cc terminals and 2 workstations. Annual sales are a round $1.1 million retail and most of that is through the four cc terminals. So would the cheaper UTM option be ok? I see that both are a one year subscription but do you guys know the cost after the one year is up? How is support for someone who is not that network savvy? I get the basics but I don't talk in acronyms like most guys in networking do so does Fortigates support take that into account?
I don't want a drop in solution that is hands off but I need something that is easy to manage and has good support. do you guys think that Fortigate could fit the bill for me?

 

[thecoolnessrune]

Like I mentioned before, Fortigate appliances cannot by default detect Sandbox aware Malware, and only works based on signatures in live format (there's no re-detection based on new heuristics). Forticloud, Mobile Device Protection, and IP/Domain Reputation lists are pieces that help with that, and are included with Enterprise Licensing.

I highly recommend getting in touch with a VAR, they can help you answering your questions to see if you really need those Enterprise features.