2017-09-14 14:09:00 UTC

Cisco ASA 5516-X Security Appliance with FirePOWER Services or Fortinet FG-100D-DBL?

Which do you recommend? Cisco ASA 5516-X Security Appliance with FirePOWER Services or Fortinet  FG-100D-DBL?

7272 Answers

@DataDeptMgr674 Sophos is the leader ? oh thats new for me. :)
in real tests - we test all suppliers in front - Sophos failed every time. They have a big mouth.

2017-10-03 11:00:34 UTC03 October 17
UserTOP 20

I like both firewall but you should consider your team or yourself availability and resources to support the business.
Cisco is better threw put, Fortigate is better interface management and easy to implementation than cisco.
Hope it help.

2017-10-03 10:23:11 UTC03 October 17

ASA's don't do route based site to site VPN's. This is a huge limitation for large scale VPN Builds.

2017-12-14 18:36:57 UTC14 December 17

I have no knowledge of Fortinet but i know that Cisco ASA with FirePOWER is not the best.
My suggestion is to buy a purpose built app or VM. Combinations will never really hit the mark.

2017-12-01 14:15:31 UTC01 December 17

To map Cisco ASA 5516-X Security Appliance with FirePOWER Services or Fortinet FG-100D-DBL, I Would like to propose Huawei USG Series USG6360.

2017-10-08 10:28:25 UTC08 October 17
Real User

it is important for me to know the opinion and experience of other professionals. Thank you all for your answers. It is clear that for the moment Fortinet wins :-)

2017-10-03 17:15:04 UTC03 October 17
Real User

Fortigate hands down, better integration than cisco and more easier to deploy. Choose the E series (100E, 200E,etc.)

2017-10-03 13:30:39 UTC03 October 17
Real UserTOP 5

We have migrated off of Cisco and Checkpoint over the last three years. We recently purchased a Fortigate 100E which is the model I would recommend as the 'D' series is older and less powerful. We use models that ranged from FG-60C (obsolete now) to series 3000. The 100E is great for our regional sites and provides IPS, VPN, A/V, web filtering and application control. These systems are both advanced and powerful as well as very affordable. We also use virtual images for our cloud (Azure and AWS) subscriptions as well as for internal firewalls on VMware. Additionally the Fortigate integrates well with their WAF (FortiWeb reverse proxy), RADIUS servers, logging and reporting servers as well as SIEM.

2017-10-03 13:23:21 UTC03 October 17

@Alvaro Picado. we use for segmentation checkpoint. for Network termination to internet most Palo Alto.
in Industrial cases we use stormshield as well.

2017-10-03 10:56:20 UTC03 October 17
Real User

Actually Andreas is right. Depends on what the FW would be used for. Since those boxes are small, my guess would be that this would be used for internet facing, so I would recommend to check also the PaloAuto line. If it's for segregation I would go with the ASA and actually also check the Firepower 2110 box, since it's more future proof.

2017-10-03 09:22:17 UTC03 October 17
Real User

Hi, Andreas. Thanks for your answer. Which firewall do you recommend?

2017-10-03 09:14:53 UTC03 October 17

I would suggest Fortinet FG-100D-DBL; it will serve the purpose within a reasonable budget for a non-profit.

2019-10-05 10:36:15 UTC05 October 19
Real User

This is helpful to make a decision.

2019-07-15 06:27:05 UTC15 July 19

I'd go Fortinet as well, but there are some considerations.
1) Cisco AnyConnect is the de-facto leader in remote VPN support. Fortinet's client is decent and I use it all the time, but in terms of wide-spread adoption and platform support and automatebility, I think Cisco has a significant edge
2) Cisco FirePower-X module operates as a totally different device (distinct IP/login) in the same chassis to get you the same functionality as Fortinet. That's super annoying. In fortinet there's one interface that gives you all the functionality.
3) Cisco interface is not idempotent nor often reversible. You can go through the wizard and set things up, but if you get something wrong and try to do it again, you get really, really weird results (such as near dups) in the config, and undoing stuff leaves config lines around. Super annoying and frankly sub-par. Sometimes the only way to clean things up is to go to the CLI and start deleting stuff.
4) the Fortinet UI is better integrated, IMHO.
5) The cisco mechanisms of setting up VPN tunnels and their use and application of NAT and rules is more confusing than any other (PA, Juniper, Fortinet, etc.)
6) without the FirePower module, it's just another port based firewall (i.e. consider that an absolutely required feature and live with the warts)
7) There are many, many people out there that do Cisco, so help is plentiful
8) Even though Cisco scored highly overall in NSS labs 2017 test, they did not do as well in terms of releasing updates to have the latest available (CAWS). Fortinet should be more real-time for protection of day-0 exploits than Cisco on average.
9) the config dump is more readable on Fortinet. In cisco, most of the configurations are at global scope.

2017-10-05 17:16:38 UTC05 October 17
Real User

I prefer fortinet

2017-10-04 17:53:58 UTC04 October 17

Of course not Cisco, since it won't give the features that Fortigate

Moreover for Next Generation Firewall Fortigate is much much better than
cisco in terms of performance, security & manageability.

As for the below request we need to make sure that this appliance that is
needed what is its role i.e. is it going to be used as Web Filter, Email
filter, Application Filter, Network Security etc.... because based on that
the model shall be decided.

2017-10-04 15:26:25 UTC04 October 17

What is the necessary bandwidth witch the firewall have to support?
Also please tell me if the firewall have to support encryption (site-to-site vpn, or Remote access VPN).
If yes, please tell me the following:
- Encryption performance necessary (in mbps)?
- Number of VPN site-to-site vpn tunnels?
- Number of remote access clients and type of devices (Windows, Windows Mobile, Linux, Mac os, Android, etc.)?

2017-10-04 07:04:41 UTC04 October 17
Real User

Jhon, Gracias por el consejo :-)

2017-10-04 06:49:22 UTC04 October 17
Real UserTOP 5

Fortinet FG-100D-DBL. Es bueno evalues la posibilidad del modelo FG-140D-POE. Estos Equipos son muy versátiles y proveen una gran gama defunciones, para los apasionados de seguridad perimetral, tal como es mi caso.

2017-10-03 18:51:13 UTC03 October 17

That’s a religious argument however this link points out some of the differences between the platforms:

2017-10-03 17:53:21 UTC03 October 17

I would suggest Fortinet FG100D-DBL firewall. However, I am not sure 100D will support 200+ users, if not you can go for next series like 200-300 series.

2017-10-03 17:51:19 UTC03 October 17
Real User

Pound for pound I would choose Fortinet any day of the week. They offer tremendous flexibility and capability for the price. It's not Cisco, but it gets the job done and then some without nickel and dime charges for added capabilities.

2017-10-03 16:18:15 UTC03 October 17

Fortinet FG-100D-DBL

2017-10-03 15:33:20 UTC03 October 17
Real UserTOP 20

I recommend fortinet.

2017-10-03 14:16:35 UTC03 October 17

I say go with the Cisco because it is still top of the line if he is a Cisco house.

If not go with the Fortinet as it’s easier to install.

2017-10-03 14:09:58 UTC03 October 17

I recommend Fortinet FG-100D instead of cisco. Because FGT provides better UTM functionalities and ease of access. Hence I would like to recommend you to use Fortigate for better , ease of security protection.

2017-10-03 13:31:05 UTC03 October 17

I would recommend Cisco (ASAs or Firepower appliances)…

2017-10-03 13:28:37 UTC03 October 17

It all depends on what you want to achieve . Both have the same basic firewalling functions as well as the added modules like IPS antivirus etc. I have been using fortigate firewalls and like this vdom feature and sslvpn integration in the firewall.

2017-10-03 13:22:26 UTC03 October 17

It all depends on what you want to achieve . Both have the same basic firewalling functions as well as the added modules like IPS antivirus etc. I have been using fortigate firewalls and like this vdom feature and sslvpn integration in the firewall.

2017-10-03 13:22:00 UTC03 October 17
Real User

I would choose Fortinet.
I have the ASA 5516X with Firepower for almost two years. The ASA and firepower integration is not that seamless. they still looks like two separate product to manage.

2017-10-03 13:16:39 UTC03 October 17

I have no experience w the Cisco FW…..that said I can highly recommend the Fortinet – I use the 100d and several WiFi Access Points, switches and the Fortianalyzer reporting tool. All pulled together w their integrated GUI. Support has been very helpful as well.

2017-10-03 13:09:06 UTC03 October 17
Real UserTOP 20

I would opt for a WatchGuard UTM due to its advanced security features.

See link: https://www.watchguard.com/wgrd-products/security-services#advanced

Also check awards/reviews on the product: https://www.watchguard.com/wgrd-about/awards

2017-10-03 13:06:00 UTC03 October 17
Real UserTOP 20

I would recommend the Fortigate and agree that the new E range has expanded the functionality.

2017-10-03 13:05:39 UTC03 October 17
Real User

I recommend Fortigate over Cisco for many reasons:

Cisco as a company is not security company at the first place, they doing great job with switching / routing but not with security. The integration between Cisco ASA and Sourcefire is suffering many issues, they are trying to integrate two different vendors at one box. The Forgiate 100D has better performance compared to Cisco ASA 5516. Also, price wise, Fortigate is cheaper than Cisco and do the job better than Cisco.

I worked with three UTM/NGFW vendors and Fortinet was one of them, forget about comments in Gartner report and look at NSS LAB report, this is your trusted report you need to use when choosing UTM/NGFW.

2017-10-03 12:56:23 UTC03 October 17

We have a fortinet and the new firepower server (we are in the process of installing). I would not recommend the ASA with firepower added in but would go with FTD their new platform if interested in Cisco. Out Fortinet has performed reasonably well. Frankly the Fortinet is cheap, have you considered Palo Alto? They just lowered the price of their firewalls and are doing well for UW… We went with the Firepower because this is the Morgridge Institute and John Morgridge (former CEO of Cisco) founded the institute. We run cisco here as much as possible to honor John! Derek

2017-10-03 12:55:21 UTC03 October 17

Depends on how skilled you are with the Cisco command line to customize. I
have had great success with Fortinet and SonicWALL, but currently like
SonicWALL for their Capture ATP service to block ransomware and zero day
threats. Dan

2017-10-03 12:51:39 UTC03 October 17

Fortinet in all cases.

2017-10-03 12:42:03 UTC03 October 17

ok, Cisco always sound like the best solution, but, also it always cost a lot, the advantage in this brand it is, you could use the same brand and be sure about compatibility betwen your network core an the firewall you are loking for, off course, in case you are using cisco switches, first question, are you using other cisco devices ?

i dont know if you can configure all of it with Cisco IOS, but you have a web admin interface wich is more interesting than IOS, second question, are you familiar with Cisco IOS or prefer a web admin interface ?

about Fortinet and fortigate, i already do a research for this brand and is not a complete solution, it is always something it will need some more modules, wich is more expensive all the time

at the begining it could be cheaper than cisco, but at the end it will be costing constantly, and last time i checked, it cost in yearly leasing, third question, do you want yearly leasing for these solution?

I hope I am useful for you, have a good decition !

2017-10-03 12:40:14 UTC03 October 17

New Fortigate 200E replacing my ASA's as we speak. I can't say much for the Fortigate at this point as I am still in testing mode. What I can say is, Cisco makes great switches and Routers. However their years of being usefull to consumers has since been surpassed with other vendors making the same products for half the cost. My 200E was around 5k FULLY LOADED. Lets see Cisco pull that one off. Include smart net and all the bullshit that goes along with it. HA!! Now on to sourcefire. You honestly need to be a dedicated engineer to sourfire and man it on a daily basis for it to be of any use to anyone. The ideas are great but getting it to work properly is simply just a pain in the ass. As Big Companies want to do more with less and that includes less people then where is the manpower to man such a beast ? The days of port blocking and simple natting are long gone and when you need the power of what todays new next gen firewalls bring to the table you need something that is easy to work on that can do the tough jobs easily. Cisco just doesn't bring it that way.

2017-10-03 12:33:31 UTC03 October 17

Absolutelty Fortigate FG-100D…

New software release 5.6 is powerfull and FG is a next generation firewall & hardware

2017-10-03 12:25:43 UTC03 October 17

I would be happy to help. Can you share any more information about the overall project or need that the device would be serving?

2017-10-03 12:24:34 UTC03 October 17
Real User

I would go with the Fortigate. It is built from the ground up as a NG firewall without a bunch of add-ons to get it up to functionality. Fortinet has repeatedly ranked ahead of Cisco in the Gartner Magic Quadrant report. The Fortigates have an easy GUI and the CLI will take a little geting used to if live the Cisco world but it is not bad. Add on top of all of that you can get two 100D firewalls working in failover mode cheaper than one 5516X with firepower.

2017-10-03 12:21:45 UTC03 October 17

Unfortunately, I have no experience with the Fortinet line, but the Cisco model is one we use often. I can recommend it

2017-10-03 12:13:59 UTC03 October 17

I recommend Fortinet FG-100D-DBL

2017-10-03 11:54:18 UTC03 October 17
Real User

Cisco ASA 5516-X Security Appliance

2017-10-03 11:50:00 UTC03 October 17
Real User


my short answer: Fortinet FG-100D-DBL.

Cisco likes to have per-user VPN licensing, while in Fortinet firewalls
you can have as many VPN users as the iron can sustain.

Hardware acceleration for ACLs/policies, and content inspection/layer 7
application control, is available in almost all FG models, while those
in 200-300 range have non-lite ASICs.

High Availability configuration and management is really, really easy.

Fortinet documentation is won-der-ful, they have put a lot of effort in
quantity and quality.

We are proud users of a couple of 500D in HA, and another couple of 300D
filtering respectively 200 Mbps and 100 Mbps Internet traffic.

Il 03/10/2017 10:49, Nick Regan from IT Central Station ha scritto:

2017-10-03 11:20:04 UTC03 October 17
Real User

May I have requirement before selecting firewall product.

Fortinet is having few bugs also.

2017-10-03 11:07:48 UTC03 October 17
Real User

I personally will recommends fortigate over cisco, I finds that fortigate is more user friendly and it is purposed build from scratch as a security product but for Cisco is a router with advance security features.

I am not sure whether it is the same level of capabilities maybe need to further check.

2017-10-03 10:56:36 UTC03 October 17
Real UserTOP 10

Dear I have not experienced Fortigate myself, however with my infra running Cisco ASA appliances, I have never found any issue of any sort. Cisco is an industry standard for enterprises. Definitely your requirement will be the benchmark for your selection.

2017-10-03 10:52:48 UTC03 October 17

I would recommend to go with Fortigate as it is very easy administration
and have a powerful next generation firewall features. Also ranked high in
Gartners matrix as well. Troubleshooting debugging and configuration is
also much easier ok fortigate compared to Cisco.

2017-10-03 10:46:01 UTC03 October 17
Real UserTOP 5

Try sophos SG 125 Active / Passive it's same as Fortinet and leader in security as well

2017-10-03 10:43:58 UTC03 October 17
Real User

Hi guys, thank you all for your answers. They have been entirely clear. We now have two active-active ASA 5520 firewall and we are thinking of switching to FortiGate 100-D or 100-E. Thanks for your help :-)

2017-10-03 10:31:58 UTC03 October 17
2017-10-03 10:14:52 UTC03 October 17

I’ll recommend FG-100D-BDL

2017-10-03 10:08:16 UTC03 October 17
Real User

It has more to do about overall security.
What email protection do you have?
What endpoint security do you have?
Are you going to have a sandbox for malware analysis?

Best practices show that having an integrated solution is better then having best point solutions.

Both NGFW products are very strong.
Fortinet with it's hardware design produce very powerful and easy to use Firewall keep an eye on 5.6 and there security fabric integration.
Cisco now has a very integrated platform with SourceFire and AMP. Talos has a strong Threat Intel, see's more threats then most due to Cisco's large install base.

The sizing does look to small for ether product, especially when you start to turn on security features like SSL decryption.

2017-10-03 09:56:06 UTC03 October 17

Fortinet FG-100D

2017-10-03 09:55:44 UTC03 October 17

I would not recommend the FG100D because that is an old model. I would actually recommend the FG100E which is the newest generation and double the speed almost than the previous generation. I recommend the fortunate over the CISCO because it has much more functionality.
I’m sure there are comparison charts between CISCO and fortigate that can show you why you should choose FORTINET.

2017-10-03 09:49:03 UTC03 October 17

We have 2 x Cisco ASA 5515s and 1 x 5516 with Firepower. This works for us, but needs a network engineer to make significant changes, and monitoring and investigation of issues isn’t a strength of these devices. What is good is the AnyConnect VPN software, which for our Windows users provides high performance, though Mac users working for other organisations (tech support) have had issues with theirs. It also does site to site well with Drayteks or Cisco at the other end. There have been no successful exploits through the firewalls of which I’ve become aware, but with little monitoring I might be living in blissful ignorance! We’ve had issues with the Cisco units getting them kept up to date for PCI pen tests – though this may be more of a feature of our tech support contract than necessarily anything caused by Cisco.

I haven’t got any personal experience of the Fortinet, but their NOC view isn’t something the ASAs support without external software.

Cisco ASAs are widely acknowledged as industry standard, but the main reason we went for them is that’s what our IT support team are most familiar with.

2017-10-03 09:45:42 UTC03 October 17

i would recommend Fortigate because it has better features compared to Cisco which is at the moment trying to catch up with other vendors

2017-10-03 09:42:57 UTC03 October 17

I will recommend him to go with Fortinet FG-100D-DBL .

2017-10-03 09:37:46 UTC03 October 17

both are ok as long as they meet your requirements which are unknown to us at the moment :)

however i don't think both these devices are capable to handle a load of 500 users..
get cisco 5545x with firepower or FG 400D with UTM bundle.

2017-10-03 09:31:51 UTC03 October 17

For 201-500 employees the below FWs might be undersized and have a performance issue.

However between Cisco & Fortinet, I will suggest Fortinet due to the flexibility in the Web Filtering side and Application control.

2017-10-03 09:29:39 UTC03 October 17

I would recommend Cisco ASA5516-X Over Fortigate.

2017-10-03 09:29:33 UTC03 October 17
Real UserTOP 5

I prefer fortigate ease to manage and in NSS lab it’s top of the rack

2017-10-03 09:28:33 UTC03 October 17

My answer is Fortigate. If you do perform a side-by-side feature comparison you will see that the Fortinet has many more features than the Cisco ASA+Firepower. Add to that the company’s Long-standing experience with unified threat management / next-generation firewalls and their price performance / lack of a “Cisco” tax and that they are consistently leaders in the Gartner “Magic Quadrant” for NGFW, this becomes an easy decision. Best of luck with this purchase and implementation.

2017-10-03 09:26:05 UTC03 October 17

Depends. ASA is just a next GEN firewall. But Fortinet is a UTM device. One box all solution.

Now if customer wants NGFW, we give ASA and if the customer wants UTM, we provide fortinet as solution.

Also ASA is on the expensiver side.

2017-10-03 09:21:33 UTC03 October 17

I work since 1991 with Watchguard
They have better security then Cisco, easy interface, nice reporting.
You can make VPN tunnels with all brands of firewalls and routers.
Mine advise will be a M470 or M570 with full security pack.
If not going for watchguard i choice for fortinet with fortiguard addon.

If you need more information or have questions about Watchguard you can always contact me.

2017-10-03 09:20:38 UTC03 October 17
Real User

Hi fore mi better option is Fortigate but try to seek the new ver of appliance.

2017-10-03 09:20:30 UTC03 October 17
Real User

Thank you all for your answers and tips

2017-10-03 09:18:20 UTC03 October 17

Cisco ASA 5516-X Security Appliance with FirePOWER

2017-10-03 09:12:45 UTC03 October 17

CISCO ASA 5516-X with FirePower /services

2017-10-03 09:09:00 UTC03 October 17

It depends on the case. For segmentation you can use both.
For Network termination to internet i wouldnt use none of them.

2017-10-03 09:08:55 UTC03 October 17
Find out what your peers are saying about Cisco, Fortinet, Juniper and others in Firewalls. Updated: September 2019.
372,124 professionals have used our research since 2012.
Sign Up with Email