Fortinet FortiGate vs Cisco ASA vs Palo Alto Networks Wildfire vs pfSense vs Sophos UTM: Firewall Reviews Face-off

What do users at IT Central Station discuss in their Firewall Reviews?

This week, a Review Face-off is held between:

What are each solution’s most valuable features? Where would users like to see improvement?

Continue reading to read expert advice from the IT Central Station user community.

fortinet fortigate reviews

Question: “What are Fortinet FortiGate’s Most Valuable Features?”
Answer:

“You can create multiple virtual domains (VDOMs) which are treated as separate firewall instances. The reporting you get out of this appliance is excellent and you don’t need an external management system.”

— Simon Chaba

Answer:
  • IPS
  • Application control
  • IPsec & SSL VPN
  • Web filtering
  • E-mail security
  • Data leak prevention
  • Wireless security and wireless controller
  • Central antivirus (FortiClient)
  • HW & SW token controller (FortiToken) etc.”

Adriana Ymeri

“Where Do You See Room for Improvement in Fortinet FortiGate?”
Answer:

Talking about FortiGate, the main complaint I have heard is about the technical support. My personal experience is the same of many people that are not happy with this aspect of the service offered from Fortinet. Often your problem is diverted to local partners and I have to say that I had mixed results with them. While some partners are professional, many are not skilled enough and have costs that are not equivalent to their quality.”

— Fabrizio Volpe

Answer:

Fortinet policies are built between zones or interface to interface. This can result in duplicates being installed without warnings, resulting in policy auditing issues.

Another issue is that FortiGate does not support Netflow, only sFlow is supported.”

Simon Chaba

cisco asa reviews
Question: “What Are Cisco ASA’s Most Valuable Features?”
Answer:

“I especially value Change Management and Compliance. They are most valuable because we are required to comply with regulations regarding credit card processing (PCI) and protecting patient data (HIPAA).”

— Eric Garcia

Answer:

Outstanding NGFW capabilities, Site to site VPNs and High Availability. Also, the integration of FirePOWER services (Web Filtering/IPS/Malware Protection) is a huge step forwards for an already great platform.”

— Alberto E. Luna Rodriguez

Question: “Where Do You See Room for Improvement in Cisco ASA?”
Answer:

“Only problem, in my opinion, is ease of use. You really need to know your way around the CLI and complex feature set to get things working. The ASDM GUI is good for some things but for the most part, you’ll need to stick to the CLI which is a bit difficult, especially if you don’t have a lot of experience around Cisco equipment.”

— Alberto E. Luna Rodriguez

“There are many areas for improvement despite the fact that we love the product, but because it is a newer version we’ve been working out lots of issues. Some of those issues are based on our environment.”

— Eric Garcia

palo alto networks wildfire reviews
Question: “What Are Palo Alto Networks Wildfire’s Most Valuable Features?”
Answer:
  • App-ID
  • User-ID
  • Ease of deployment and usability
  • Filtering Mechanism like SP3 Engine

“From a technical perspective, this has given us a new high as this is how a technology solution should function.

From a sales perspective, we have been able to pitch the solution to new customers as it seems cheap to customers when we bundle the solution, compared to getting each device for individual functions.”

— Girish Vyas

Question: Where Do You See Room for Improvement in Palo Alto Networks Wildfire?
Answer:
  • IP SLA tracking
  • GRE tunnel support

“I believe these are the major improvements in the pipeline.”

“In addition,” adds Vyas, “It crashes too frequently for a few boxes, which could be expected from a new vendor as it evolves.”

— Girish Vyas

pfsense reviews
Question: “What are pfSense’s Most Valuable Features?”
Answer:
  • Fail-over of between multiple ISPs
  • Firewall
  • Graphs
  • Real-time interface monitoring
  • The web UI gives you an overview of everything you want to see
  • For an open-source solution, it has performed fantastically
  • OSPF
  • It contains loads of optional packages e.g Snort (IDS), Asterix (PBX), network monitors etc.
— Dania Seun
Question: “Where Do You See Room for Improvement in pfSense?”
Answer:

“Whenever a new version rolls out, there are hidden bugs. That’s why we normally run a version behind for a little while before rolling into the current build.”

— John Crabtree

sophos utm reviews
Question: “What are Sophos UTM’s Most Valuable Features?”
Answer:

“The web filter and the ATP (Advanced Threat Protection) are great and easy to manage, and the integrated WAF (Web Application Firewall) allows the administrator to seamlessly protect HTTP/S services without having to pay thousands of dollars.

They just introduced Sandstorm system for protection, is awesome as well.”

— Juan C. Sanchez Pignalosa

Answer:

“The Sophos UTM products helped us manage and a global network of more than 20 sites.

Their ability to firewall, filter and monitor network traffic and provide VPN connectivity really helped us day to day with such a complex network.

We chose the product initially because the user interface was simple to understand and made sense without requiring a long training course for an experienced network engineer to utilize.”

— Karim Kronfli

Question: Where Do You See Room for Improvement in Sophos UTM?
Answer:

Sophos UTM has many improvements that I would suggest, but the main one is for

the Application Control to be managed with users as well, and with timeframes (schedules) for the administrator to allow certain apps outside a  specific timeframe, or vice versa.”

— Juan C. Sanchez Pignalosa

 

Interested in learning what other IT Central Station users have to say about Firewalls?

Read more Firewall reviews on IT Central Station.

New: What are Enterprise Tech Users Asking About Firewalls in 2017?

At IT Central Station, 7,161 users follow the category of firewall reviews and questions published by enterprise tech professionals. As of March 2017, our firewall user reviews have been viewed over 381,820 times.

Terry Stokes, an Information Technology Manager at a Healthcare company, asked the following question in our firewalls user community:

Asked in March 2017:

“What do you recommend for a corporate firewall implementation? I have six geographically dispersed locations.”

Question Background: “I have a web-based firewall solution from our telecom vendor which is not user-friendly nor does it show you the traffic on the firewall.

I have six geographically dispersed locations. What do you recommend for a corporate firewall implementation?”

Read top answers to Terry’s question, as published by our users:

Sean Akers, DevOps Engineer:

“The original question did mention ease of use, showing throughput, and the need to connect several regions, which is why I recommended Meraki products. IMO they are by far the easiest firewall to set up and a total no-brainer for distributed use. It is nigh on impossible to accidentally disconnect your remote offices due to configuration mess up and even if you do then the out-of-band management will allow you to correct the issue.

If you know what you’re doing then I’d go with pfSense. Powerful and affordable (free even if you can do without the support).

We have Meraki MX in our HQ office as the needs there are simple and ease of management is a top priority along with all the stuff the Advanced Security license brings. We use pfSense in our data center rack.

Having spent a long time with Cisco ASAs I’d certainly not recommend them to the OP due to being far too complex to set up without experience or training. Although they’re rather good if you know what you’re doing.”

Rrahul Hansuka:

Fortigate Firewalls are best suited for these purposes. You may select the appropriate model either by comparing specs on their website or talking to one of their consultants. Only, shortfall with Fortigate is, one needs to be trained to configure and manage these devices. So, you either learn it yourself or signup a support partner. Online support is not very great for setting the device up. But, pretty quick and efficient in helping resolve specific issues faced.”

Musavir Sheikh, Senior Network Engineer:

“I think you can use, Fortigate Firewall, Barracuda WebFilter Firewall. They are user-friendly and you can generate an efficient report etc. We are also using Fortigate 310B for web filtering.”

Nigel Williamson:

“If you are not a regular firewall service manager and this is a first-run into the corporate firewall systems, I might suggest Check Point solutions as a first name in easy to learn and quick to get up and running appliances. Check Point takes a very logical approach to security and it is up there with the best. As for bells and whistles, get a briefing from a vendor and see if it is a fit for your finances, pretty sure your 6 sites will be managed with ease.”

Fred Fish, Network Administrator:

“I’ve been running Cyberoam (now Sophos Cyberoam UTM) for over 10 years for my firewalls. I’ve really enjoyed the Cyberoam Support over the years those guys are great to work with. I have also been looking at the Meraki units for future upgrades to save a bit of money, and get a bit more visibility in one the traffic. You really have to weigh the money you have for the project and the number of users at each of the locations to know which solution is best for your organization.”

Michael Wing, Network Engineer:

“There are a few questions I would ask myself first before choosing a firewall vendor they would be as follows:

  1. What is the budget for the hardware?
  2. What kind of connectivity is present at each site (e.g DSL, IPVPN, Leased Line, 3G/4G etc.)?
  3. What is the traffic profile for each site (running mostly web applications, SQL, social media etc)?
  4. What throughput is needed per site?
  5. Do you require more advanced UTM functionally to secure/protect internal infrastructure?

If you can pinpoint these you’re on a good course to selecting a vendor.

To name but a few, my personal preference would be:

Cisco Meraki (if you want to have a cloud managed SD-WAN solution)

  • Expensive based on throughput
  • Very nice interface, lots and lots of detail about traffic on your network requires licensing (OpEx costs as cloud based).
  • SD-WAN ready out of the box (really read into this as the benefits aren’t as peachy as they may first seem), its Cisco so a very steep learning curve.
  • Very feature rich.

FortiNet (if you need UTM/Application firewall)

  • Cost effective.
  • One of the top vendors in the Gartner Magic Quadrant.
  • A very nice interface learning curve to overcome as a more advanced piece of kit (more cost effective especially when compared with the likes of Cisco, Palo Alto and Check Point but in the same league all throughout the product range).
  • FortiNet has a fill security fabric, so in the future, if you’re looking for desktop AntiVirus/Email appliances (FortiClient), WAN Load Balancers, Traffic Analysers, access switches, Cloud-based network logging etc. They have solutions for this that seamlessly integrate.

WatchGuard

  • Basic Firewall VPN and access rule functionality.
  • Cost effective: does what it says on the tin VPN standard firewall policies.
  • Not used personally but have customers who do, look extremely simple to setup and configure, would say cheapest and easiest to use of all mentioned but nowhere near as advanced or feature-rich. You get only what’s on the tin in a basic way.”

Read our full collection of firewall reviews.

Firewall Reviews: What are Real Users Saying?

What feedback do enterprise tech users give about Firewalls? In this week’s blog post, IT Central Station community members share their feedback and expertise on top Firewalls in the enterprise tech market: Fortinet FortiGate, Cisco ASA, and Palo Alto Networks Wildfire. What are these solutions’ most valuable features? Where do users see room for improvement? Continue reading for expert feedback from real users of these Firewalls.

Fortinet FortiGate

Valuable Features

  • Virtual Domains

Both Simon Chaba and ProjMan8210 point to Fortinet FortiGate’s virtual domain features as one of its most valuable.

Chaba specifies that you can create “multiple virtual domains (VDOMs) which are treated as separate firewall instances”, which eliminates the need to buy physical firewall hardware in a circumstance where “you’re hosting multiple customers requiring individual secure access to their firewall.”

  • UTMs, Application and Web Filters

Roberto Garcia Hernandez shares that FortiGate’s UTM features have “solved many issues that other firewall providers have not developed as Fortinet has.” These features also enabled Hernandez to configure an application control sensor that was tailor made to the permissions-control that a customer needed in a highly specific use-case.

ITmanager567 explains that the application and web filters allowed his organization’s network to block necessary social networks, VPN applications, and to use torrent applications.

Room for Improvement

  • Troubleshooting and Support Tools

ProjMan8210 suggests an improvement that would “integrate graphical troubleshoot tools for policies based on devices or user identities.”

“Sometimes it’s super hard to figure out what’s wrong with a FortiGate VPN unless you know the commands on the CLI to see the flow and how to interpret it” says NetworkEng896.

To address this, NetworkEng896 suggests providing manuals or support resources that would provide “all steps, command line syntax, and GUI…how to take steps to debug the flow and see what’s failing…all the methods/syntax and the “how’s and why’s” for a scenario.”

  • Antivirus Sensor  

Hernandez also points out that the antivirus sensor causes slow web browsing for customers. While this isn’t a “serious issue”, he says, the amount of user reports that his organization receives indicates that it’s a recurring issue for customers.

Cisco ASA

Valuable Features

  • VPN

“Cisco’s AnyConnect SSL VPN is by far the best client VPN technology I’ve ever had to deploy and manage” writes David Varnum.

Varnum specifies that not only are upgrades “a breeze”, failovers between unites are “flawless.”

The FirePower add-on services are particularly useful, he adds, which can be run either as a hardware or as a software module within the ASA, and managing them is an easy, intuitive process.

When discussing the ASA, Fabrizio Volpe adds that it’s “stable and with a low level of work required on the maintenance side.”

Like Varnum, Alberto E. Luna Rodriguez describes the FirePower services as “a huge step forwards for an already great platform”, as they enabled better control and visibility over the traffic traversing his organization’s perimeter.

Room for Improvement

David Varnum explains that in order to manage multiple firewalls in your network from a central point, the only present option is to do so through Cisco Security Manager, a suite applications which “is in much need of overhaul…riddled with bugs…a counter-intuitive interface…software defects.”

When discussing the ASA “family of hardware based firewalls” Volpe advises that it’s not an “all in one product”, because not all operations are available in its graphical interface, requiring users to “know the ASA command line very well.”

“In my opinion”, shares Rodriguez, the only problem is “ease of use.” Rodriguez explains that in order to get thing working, “you really need to know your way around the CLI and complex feature set…which is a bit difficult especially if you don’t have a lot of experience around Cisco equipment.”

Palo Alto Networks Wildfire

Valuable Features

  • User Interface

Although the WebUI looks simple at a glance, says Jesus Guadalupe Torres Araujo, it’s “one of the best WebUIs that I have used” offering a lot of options to secure all the traffic passing through the device.

  • Functionality

“From a technical perspective” says Girish Vyas, “this has given us a new high as this is how a technology solution should function.”

Vyas points to the solution’s “ease of deployment and usability”, filtering mechanisms, as well as the App-ID and User-ID features to be most valuable.

Room for Improvement

  • IPSec VPNs

“I’d like to see IPSec VPNs” writes Araujo, adding that “they need to  improve the graphics to show the network behavior.”

For Vyas, the major improvements needed are IP SLA tracking and GRE tunnel support.

What else do enterprise tech users discuss about Firewalls?
Read our full collection of Firewall reviews and rankings to find out.

Top Enterprise Firewalls – 2015 Edition

For any corporation, firewalls are network security systems that control as well as monitor all incoming and outgoing network traffic. Firewalls have long provided the first line of defense in network security infrastructures by comparing corporate policies about users’ network access rights to the connection information surrounding each access attempt. User policies and connection information must match up, or the firewall does not grant access to network resources; this helps avert break-ins. The rise of internal threats has come about by the emergence of new network perimeters that have formed inside the corporate LAN, thus increasing the importance firewalls.

Here at IT Central Station, we offer a crowdsourced platform that allows real users to share their opinions about tech products with the rest of the enterprise tech community. We have compiled over 85,000 views of the top Firewalls by real users in 2014 and Q1 2015 and analyzed their trends in the infographic below. All of our data is based on actual behavior of real users researching and comparing vendors on IT Central Station.

firewalls-ver2

If you have any questions regarding our research or would like to read our reviews, please visit our IT Firewalls category page on IT Central Station at http://www.itcentralstation.com/category/firewalls.

View our infographic on IT Central Station.