Sophos UTM Review

Sophos UTM vs. Fortinet FortiGate


I have used both Sophos and Fortinet products in production and I have found the Sophos UTM appliances (hardware and virtual) to be a better fit most of the time -- with a few caveats which I will touch on below. In both instances, the transition from TMG will be mostly straightforward. The main hang-ups will be with the VIP/load balancing and SSL. For some reason that completely escapes me, both of these vendors make getting valid certificates onto their boxes unnecessarily difficult -- the Fortinet appliances more so than the Sophos UTM appliances. At one point a Fortinet engineer had to write an entire manual on how to get an SSL certificate uploaded successfully on the 4.x firmware.

Sophos: The one feature that is missing (and this makes some amount of sense) from the Sophos appliance is BITS caching for updates. Other than that, Sophos offers a full replacement for TMG on UTM9. The XG platform also offers a replacement for the TMG; however, some of the rumblings about upcoming releases suggests that Sophos is going to give XG the Apple iOS treatment and "streamline" the interface...potentially cutting out/hiding some functionality. On the effectiveness of the NGFW, Sophos is mostly good but has a few issues blocking all pieces of an application. For instance, we had to build custom blocking rules for OpenVPN (the vpn was being used to bypass the content filter) because the default Application Control wasn't effectively blocking the application.

Fortinet: If it wasn't for Fortinet's terrible tech support we would still be deploying Fortigates exclusively. So perhaps that answers your last question right upfront. FortiWeb is not absolutely required for what you are proposing; however, the FortiWeb does make the transition from TMG much easier as the FortiWeb is purpose-built to do what you are requiring. Related, the AD-integration used with Fortinet is one of the strongest implementations we have used: The SSO agents ability to poll data from the DCs without an agent allows the use of SSO with non-Windows machines that are bound to AD, which we have used extensively at both educational institutions and shops running CentOS. Transitioning to Fortinet is relatively simple: The UI makes a lot more sense than it did in the old 4.x releases, the firewall rules are straight-forward, and the reverse proxy settings are well-documented.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
7 visitors found this review helpful
5 Comments
UserUser

I have virtual Sophos UTMs at multiple locations. I did my homework on the two vendor appliances here and Sophos was the better option. I am very happy with the product and I know I made the correct choice. The Fortinet group could not give me a straight answers as to why their product was better than Sophos other mentioning the Garner reports. Which I may say were comparing smaller version of a Sophos UTM.

04 January 16
Presale, Solution Consultant at a tech services company with 5,001-10,000 employeesConsultantTOP 10

For long term running what we need is is a high-performance, stateful, full-proxy network firewall and in stateful real-world traffic, involving applications such as Facebook, Zynga Farmville, Pandora radio, AOL Instant Messenger, Microsoft Outlook and others. Under those conditions, Fortinet said, the 5140B maxed out at 526 Gbits/s, and 542 Gbits/s for HTTP traffic. The same tests using stateless streaming traffic produced results of 559 Gbps for large (1518 byte) packets, 547 Gbps for small (64 byte) packets and 557 Gbps for IMIX; in all, Fortinet claimed that both stateful and stateless traffic performance was several times the company’s nearest competitor.
“In general, Fortinet does not comment on competitive announcements. That said, until it’s been validated by a legitimate third party test and measurement company, we continue to have the fastest shipping firewall for both IPv4 and IPv6. We look forward to meeting them in the lab,” Patrick Bedwell, vice president of products for Fortinet, wrote in a statement.

04 January 16
Juan C. Sanchez PignalosaReal UserTOP 5

Fortinet has loose their ability to attend personalized support cases. You must first take a glance at Gartner's Magic Cuadrants. Thi sis purely based on Marketing strategies. Sophos is a great product (not perfect) but in my opinion, is the most advanced and complete.

Michael, I understand the need for SSL blocking, and features, it is very important nowdays, I'm a fan of SSL blocking, now that every single web page, is trying to be accesible via this protocol. I have discovered with the UTM and the XG Version (from Sophos, that is), the way to do SSO, without Proxy Configured on Standard Mode, but in Transparent Mode, (it was really hard to be done in the past, but on UTM is very easy and effective). ON XG, it has to have an DC Agent, which is also very easy, you do not need to have clients throughout the network (we must be compatible with non Windows environments).

I dislike Fortinet support worldwide, they have lost their core meaning, offer great post service, and maintain their loyal customers... This leaves us the gap, to entry with Sophos UTM/XG appliances, and not to mention the 36 worry free hardware warranty, via RMA (you dont pay a dime, for real).

Contact me if I can be on any help for Sophos UTM/XG solution, I love the new XG interface, and I'm very familiar with the UTM latest Version.

PD: We have many Sophos boxes deployed worldwide, we have not certified the XG Platform, but we will not farther than 1st 2016 Q.

05 January 16
UserUser

I agree with Juan C. Sanchez Pignalosa, I'm a Support Engineer from Africa
We are sale representative of Sophos Cyberoam and my opinion is that the customer and partner support at Sophos Cyberoam is exceptional. Yesterday we work on a case with another support engineer in Indra. At Sophos they really care about their customers.

07 January 16
Orlee GillisConsultant

Mark, how has your experience with Firewall security been since this past January?

06 October 16
Guest
Sign Up with Email