Tuesday, October 27, 2009

Why Cisco? Fortinet FortiGate Alternative to Cisco PIX or Cisco ASA

I don't really have anything against Cisco. I think they have a great product line. I even passed the CCNA and CCNP exams back in 2002. However, about 4 years ago when I was working for the City of Provo, we were looking for a new firewall and I was tasked to do the reasearch. It was at this time that I was introduced to the Fortinet FortiGate (all-in-one, multi-threat, unified threat management (UTM), or whatever they are calling these devices now) firewall.

We ended up purchasing two of these devices for the city and set them up in an active-passive distributed cluster (The firewall is partitioned into two virtual firewalls. One network runs on one unit, and the other runs on the secondary unit. However, if either device should fail, the traffic will switch to the other unit). I have since deployed and manage 5 different sets of clustered FortiGate firewalls for another company and I feel like I need to share how much I like using these devices. I am not saying they are perfect, but what device is?

Let me just briefly touch on some of the features offered:

Stateful Firewall
Web Filtering
IDS/IPS (Could be easier to manage)
Network Anti-virus
Anti-Spam (One of the areas in which these devices could be improved)
High Availability (Active-Active or Active-Passive Clusters)

For full features and specs, visit http://www.fortinet.com.

Now, to be fair, there are a few areas in which the product could be improved. As mentioned above, the IDS/IPS functionality could be a little easier to configure and the Anti-Spam could have more options. Also, the logging and reporting is all there, but could be improved. However, even discounting the device for these issues it is still an amazing value.

Coming from a Cisco IOS background, it was difficult at first to get used to the fact that you can configure 90-95% of the firewall through the web interface (not that you have to, there is a CLI). However, the web interface is great, and makes managing and training IT staff on the use of the firewall much easier.

I think that I am most impressed with the High-Availability features. Not necessarily how well high-availability works, though it does work well, as much as how easy it is to cluster the devices. The configuration is straightforward, can be done through the web interface, and connecting the devices is a breeze.

The IPSec VPN is standards based and I myself have successfully connected to Cisco, Checkpoint, and SonicWall VPN devices. The SSL VPN is great and runs in both IE and Firefox. They even have clients that allow you to run the SSL VPN in Linux and on Mac OSX.

There are options for authenticating users to determine what web filtering, IDS/IPS, Netowrk AV, etc. (Called Protection Profile) gets applied. This authentication can happen seemlessly with an Active Directory extension, or the user can be required to log in to a webform using Radius, LDAP, or local authentication.

If you haven't heard of Fortinet before, check them out. I highly recommend the product. Do you use Cisco? If so, what are some reasons I should give the Cisco PIX or ASA another shot? If not, what do you use and how do you like it? I would love to hear from others on this topic.


  1. Hello my friend David, take a look on this site


    Ramon Van Der Heide

  2. Hi david,

    We have multiple vendor enviroment in the company such as Fortigate, sonicwall,juniper netscreen.I found the sonicwall interface to be excellent and the juniper interface to be quite confusing. Configuration in sonicwall can be completed really quickly with ease by accessing the wizard whilst juniper has its own terminology which is different and slightly complicated. Sonicwall has also IPS module integrated with the main firewall. But the issue with sonicwall is that the configuration cannot to exported to a .txt file to check the configuration. It exports the configuration to a .exp file which cannot be viewed

  3. Venkat, are you saying that of the three you prefer the Sonciwall?

  4. Hi David,

    I know this post is quite old, but I'm in the midst of a project about UTM, as well as Cisco and Fortinet.

    I'm a tech researcher at a research firm based in San Francisco, called Blueshift Research.

    I really enjoy your blog. Let me know if you have a few minutes to chat.



    Adam Lesser | Trend Researcher
    Blueshift Research, LLC
    321 Pacific Ave. | San Francisco, CA 94111
    al@blueshiftideas.com | 310 500 0833 (Cell-Please Try First) 415 364 3781 (Work)


  5. I'll second Venkat's comment about Sonicwall with a correction - you can export the configuration details as a human readable "Tech Support Report."