Cisco ASA 5516-X Security Appliance with FirePOWER Services or Fortinet FG-100D-DBL?

Which do you recommend? Cisco ASA 5516-X Security Appliance with FirePOWER Services or Fortinet  FG-100D-DBL?

As seen in
71 Answers
Suvarna PatilReal User

This is helpful to make a decision.

15 July 19
Heath FreelUser

ASA's don't do route based site to site VPN's. This is a huge limitation for large scale VPN Builds.

14 December 17
Mikael TakeoConsultantTOP REVIEWERTOP 5

I have no knowledge of Fortinet but i know that Cisco ASA with FirePOWER is not the best.
My suggestion is to buy a purpose built app or VM. Combinations will never really hit the mark.

01 December 17
Wu JimVendor

To map Cisco ASA 5516-X Security Appliance with FirePOWER Services or Fortinet FG-100D-DBL, I Would like to propose Huawei USG Series USG6360.

08 October 17

I'd go Fortinet as well, but there are some considerations.
1) Cisco AnyConnect is the de-facto leader in remote VPN support. Fortinet's client is decent and I use it all the time, but in terms of wide-spread adoption and platform support and automatebility, I think Cisco has a significant edge
2) Cisco FirePower-X module operates as a totally different device (distinct IP/login) in the same chassis to get you the same functionality as Fortinet. That's super annoying. In fortinet there's one interface that gives you all the functionality.
3) Cisco interface is not idempotent nor often reversible. You can go through the wizard and set things up, but if you get something wrong and try to do it again, you get really, really weird results (such as near dups) in the config, and undoing stuff leaves config lines around. Super annoying and frankly sub-par. Sometimes the only way to clean things up is to go to the CLI and start deleting stuff.
4) the Fortinet UI is better integrated, IMHO.
5) The cisco mechanisms of setting up VPN tunnels and their use and application of NAT and rules is more confusing than any other (PA, Juniper, Fortinet, etc.)
6) without the FirePower module, it's just another port based firewall (i.e. consider that an absolutely required feature and live with the warts)
7) There are many, many people out there that do Cisco, so help is plentiful
8) Even though Cisco scored highly overall in NSS labs 2017 test, they did not do as well in terms of releasing updates to have the latest available (CAWS). Fortinet should be more real-time for protection of day-0 exploits than Cisco on average.
9) the config dump is more readable on Fortinet. In cisco, most of the configurations are at global scope.

05 October 17
Shane BajentingReal UserTOP 20

I prefer fortinet

04 October 17
Imad AwwadUser

Of course not Cisco, since it won't give the features that Fortigate

Moreover for Next Generation Firewall Fortigate is much much better than
cisco in terms of performance, security & manageability.

As for the below request we need to make sure that this appliance that is
needed what is its role i.e. is it going to be used as Web Filter, Email
filter, Application Filter, Network Security etc.... because based on that
the model shall be decided.

04 October 17
Danut AgacheConsultant

What is the necessary bandwidth witch the firewall have to support?
Also please tell me if the firewall have to support encryption (site-to-site vpn, or Remote access VPN).
If yes, please tell me the following:
- Encryption performance necessary (in mbps)?
- Number of VPN site-to-site vpn tunnels?
- Number of remote access clients and type of devices (Windows, Windows Mobile, Linux, Mac os, Android, etc.)?

04 October 17
Alvaro PicadoReal User

Jhon, Gracias por el consejo :-)

04 October 17
JhonPerezReal UserTOP 5

Fortinet FG-100D-DBL. Es bueno evalues la posibilidad del modelo FG-140D-POE. Estos Equipos son muy versátiles y proveen una gran gama defunciones, para los apasionados de seguridad perimetral, tal como es mi caso.

03 October 17
User with 10,001+ employeesUser

That’s a religious argument however this link points out some of the differences between the platforms:

03 October 17
Prasanth GopiUser

I would suggest Fortinet FG100D-DBL firewall. However, I am not sure 100D will support 200+ users, if not you can go for next series like 200-300 series.

03 October 17
Alvaro PicadoReal User

it is important for me to know the opinion and experience of other professionals. Thank you all for your answers. It is clear that for the moment Fortinet wins :-)

03 October 17
Quintin FoyReal User

Pound for pound I would choose Fortinet any day of the week. They offer tremendous flexibility and capability for the price. It's not Cisco, but it gets the job done and then some without nickel and dime charges for added capabilities.

03 October 17
Liviu PostolacheUser

Fortinet FG-100D-DBL

03 October 17
MauricioCorrêaReal UserTOP 20

I recommend fortinet.

03 October 17
Denise MilotUser

I say go with the Cisco because it is still top of the line if he is a Cisco house.

If not go with the Fortinet as it’s easier to install.

03 October 17
Technical Specialist with 5,001-10,000 employeesConsultant

I recommend Fortinet FG-100D instead of cisco. Because FGT provides better UTM functionalities and ease of access. Hence I would like to recommend you to use Fortigate for better , ease of security protection.

03 October 17
Alan ChaviraReal UserTOP 20

Fortigate hands down, better integration than cisco and more easier to deploy. Choose the E series (100E, 200E,etc.)

03 October 17
Michael KortenConsultant

I would recommend Cisco (ASAs or Firepower appliances)…

03 October 17
Stuart BermanReal UserTOP 20

We have migrated off of Cisco and Checkpoint over the last three years. We recently purchased a Fortigate 100E which is the model I would recommend as the 'D' series is older and less powerful. We use models that ranged from FG-60C (obsolete now) to series 3000. The 100E is great for our regional sites and provides IPS, VPN, A/V, web filtering and application control. These systems are both advanced and powerful as well as very affordable. We also use virtual images for our cloud (Azure and AWS) subscriptions as well as for internal firewalls on VMware. Additionally the Fortigate integrates well with their WAF (FortiWeb reverse proxy), RADIUS servers, logging and reporting servers as well as SIEM.

03 October 17
Mohamad Zulkifli HanafiUser

It all depends on what you want to achieve . Both have the same basic firewalling functions as well as the added modules like IPS antivirus etc. I have been using fortigate firewalls and like this vdom feature and sslvpn integration in the firewall.

03 October 17
Mohamad Zulkifli HanafiUser

It all depends on what you want to achieve . Both have the same basic firewalling functions as well as the added modules like IPS antivirus etc. I have been using fortigate firewalls and like this vdom feature and sslvpn integration in the firewall.

03 October 17
EricHeReal User

I would choose Fortinet.
I have the ASA 5516X with Firepower for almost two years. The ASA and firepower integration is not that seamless. they still looks like two separate product to manage.

03 October 17
phil dockenUser

I have no experience w the Cisco FW…..that said I can highly recommend the Fortinet – I use the 100d and several WiFi Access Points, switches and the Fortianalyzer reporting tool. All pulled together w their integrated GUI. Support has been very helpful as well.

03 October 17
Pre-Sales / Technical Account Manager at a tech services company with 1-10 employeesReal UserTOP 20

I would opt for a WatchGuard UTM due to its advanced security features.

See link:

Also check awards/reviews on the product:

03 October 17
MayleenBywaterReal UserTOP 20

I would recommend the Fortigate and agree that the new E range has expanded the functionality.

03 October 17
Hamza_FarhanReal User

I recommend Fortigate over Cisco for many reasons:

Cisco as a company is not security company at the first place, they doing great job with switching / routing but not with security. The integration between Cisco ASA and Sourcefire is suffering many issues, they are trying to integrate two different vendors at one box. The Forgiate 100D has better performance compared to Cisco ASA 5516. Also, price wise, Fortigate is cheaper than Cisco and do the job better than Cisco.

I worked with three UTM/NGFW vendors and Fortinet was one of them, forget about comments in Gartner report and look at NSS LAB report, this is your trusted report you need to use when choosing UTM/NGFW.

03 October 17
Derek CooperUser

We have a fortinet and the new firepower server (we are in the process of installing). I would not recommend the ASA with firepower added in but would go with FTD their new platform if interested in Cisco. Out Fortinet has performed reasonably well. Frankly the Fortinet is cheap, have you considered Palo Alto? They just lowered the price of their firewalls and are doing well for UW… We went with the Firepower because this is the Morgridge Institute and John Morgridge (former CEO of Cisco) founded the institute. We run cisco here as much as possible to honor John! Derek

03 October 17

Depends on how skilled you are with the Cisco command line to customize. I
have had great success with Fortinet and SonicWALL, but currently like
SonicWALL for their Capture ATP service to block ransomware and zero day
threats. Dan

03 October 17
Spencer ThomasonUser

Fortinet in all cases.

03 October 17
Luis ApodacaUser

ok, Cisco always sound like the best solution, but, also it always cost a lot, the advantage in this brand it is, you could use the same brand and be sure about compatibility betwen your network core an the firewall you are loking for, off course, in case you are using cisco switches, first question, are you using other cisco devices ?

i dont know if you can configure all of it with Cisco IOS, but you have a web admin interface wich is more interesting than IOS, second question, are you familiar with Cisco IOS or prefer a web admin interface ?

about Fortinet and fortigate, i already do a research for this brand and is not a complete solution, it is always something it will need some more modules, wich is more expensive all the time

at the begining it could be cheaper than cisco, but at the end it will be costing constantly, and last time i checked, it cost in yearly leasing, third question, do you want yearly leasing for these solution?

I hope I am useful for you, have a good decition !

03 October 17
M Ike D IbbleUser

New Fortigate 200E replacing my ASA's as we speak. I can't say much for the Fortigate at this point as I am still in testing mode. What I can say is, Cisco makes great switches and Routers. However their years of being usefull to consumers has since been surpassed with other vendors making the same products for half the cost. My 200E was around 5k FULLY LOADED. Lets see Cisco pull that one off. Include smart net and all the bullshit that goes along with it. HA!! Now on to sourcefire. You honestly need to be a dedicated engineer to sourfire and man it on a daily basis for it to be of any use to anyone. The ideas are great but getting it to work properly is simply just a pain in the ass. As Big Companies want to do more with less and that includes less people then where is the manpower to man such a beast ? The days of port blocking and simple natting are long gone and when you need the power of what todays new next gen firewalls bring to the table you need something that is easy to work on that can do the tough jobs easily. Cisco just doesn't bring it that way.

03 October 17
Luca AstoriReal UserTOP 20LEADERBOARD

Absolutelty Fortigate FG-100D…

New software release 5.6 is powerfull and FG is a next generation firewall & hardware

03 October 17

I would be happy to help. Can you share any more information about the overall project or need that the device would be serving?

03 October 17
Leko FordReal User

I would go with the Fortigate. It is built from the ground up as a NG firewall without a bunch of add-ons to get it up to functionality. Fortinet has repeatedly ranked ahead of Cisco in the Gartner Magic Quadrant report. The Fortigates have an easy GUI and the CLI will take a little geting used to if live the Cisco world but it is not bad. Add on top of all of that you can get two 100D firewalls working in failover mode cheaper than one 5516X with firepower.

03 October 17
Alan WalkerUser

Unfortunately, I have no experience with the Fortinet line, but the Cisco model is one we use often. I can recommend it

03 October 17

I recommend Fortinet FG-100D-DBL

03 October 17
Rabiul IslamReal User

Cisco ASA 5516-X Security Appliance

03 October 17
Marco De LellisReal User


my short answer: Fortinet FG-100D-DBL.

Cisco likes to have per-user VPN licensing, while in Fortinet firewalls
you can have as many VPN users as the iron can sustain.

Hardware acceleration for ACLs/policies, and content inspection/layer 7
application control, is available in almost all FG models, while those
in 200-300 range have non-lite ASICs.

High Availability configuration and management is really, really easy.

Fortinet documentation is won-der-ful, they have put a lot of effort in
quantity and quality.

We are proud users of a couple of 500D in HA, and another couple of 300D
filtering respectively 200 Mbps and 100 Mbps Internet traffic.

Il 03/10/2017 10:49, Nick Regan from IT Central Station ha scritto:

03 October 17
Taradutt PantReal User

May I have requirement before selecting firewall product.

Fortinet is having few bugs also.

03 October 17
Andreas BeudenConsultantTOP 20

@DataDeptMgr674 Sophos is the leader ? oh thats new for me. :)
in real tests - we test all suppliers in front - Sophos failed every time. They have a big mouth.

03 October 17
Cherlius XieReal User

I personally will recommends fortigate over cisco, I finds that fortigate is more user friendly and it is purposed build from scratch as a security product but for Cisco is a router with advance security features.

I am not sure whether it is the same level of capabilities maybe need to further check.

03 October 17
Andreas BeudenConsultantTOP 20

@Alvaro Picado. we use for segmentation checkpoint. for Network termination to internet most Palo Alto.
in Industrial cases we use stormshield as well.

03 October 17
System Admin Manager at a comms service provider with 1,001-5,000 employeesReal UserTOP 5

Dear I have not experienced Fortigate myself, however with my infra running Cisco ASA appliances, I have never found any issue of any sort. Cisco is an industry standard for enterprises. Definitely your requirement will be the benchmark for your selection.

03 October 17
Anjas VaheedConsultantTOP 20

I would recommend to go with Fortigate as it is very easy administration
and have a powerful next generation firewall features. Also ranked high in
Gartners matrix as well. Troubleshooting debugging and configuration is
also much easier ok fortigate compared to Cisco.

03 October 17
DataDeptMgr674Real UserTOP 20

Try sophos SG 125 Active / Passive it's same as Fortinet and leader in security as well

03 October 17
Alvaro PicadoReal User

Hi guys, thank you all for your answers. They have been entirely clear. We now have two active-active ASA 5520 firewall and we are thinking of switching to FortiGate 100-D or 100-E. Thanks for your help :-)

03 October 17
Zaw AungUserTOP 20

I like both firewall but you should consider your team or yourself availability and resources to support the business.
Cisco is better threw put, Fortigate is better interface management and easy to implementation than cisco.
Hope it help.

03 October 17
03 October 17
Babar AhmedUser

I’ll recommend FG-100D-BDL

03 October 17
Ben WhittakerReal User

It has more to do about overall security.
What email protection do you have?
What endpoint security do you have?
Are you going to have a sandbox for malware analysis?

Best practices show that having an integrated solution is better then having best point solutions.

Both NGFW products are very strong.
Fortinet with it's hardware design produce very powerful and easy to use Firewall keep an eye on 5.6 and there security fabric integration.
Cisco now has a very integrated platform with SourceFire and AMP. Talos has a strong Threat Intel, see's more threats then most due to Cisco's large install base.

The sizing does look to small for ether product, especially when you start to turn on security features like SSL decryption.

03 October 17
User at a tech services company with 501-1,000 employeesUser

Fortinet FG-100D

03 October 17
President with 501-1,000 employeesUser

I would not recommend the FG100D because that is an old model. I would actually recommend the FG100E which is the newest generation and double the speed almost than the previous generation. I recommend the fortunate over the CISCO because it has much more functionality.
I’m sure there are comparison charts between CISCO and fortigate that can show you why you should choose FORTINET.

03 October 17
Ian GoodingUser

We have 2 x Cisco ASA 5515s and 1 x 5516 with Firepower. This works for us, but needs a network engineer to make significant changes, and monitoring and investigation of issues isn’t a strength of these devices. What is good is the AnyConnect VPN software, which for our Windows users provides high performance, though Mac users working for other organisations (tech support) have had issues with theirs. It also does site to site well with Drayteks or Cisco at the other end. There have been no successful exploits through the firewalls of which I’ve become aware, but with little monitoring I might be living in blissful ignorance! We’ve had issues with the Cisco units getting them kept up to date for PCI pen tests – though this may be more of a feature of our tech support contract than necessarily anything caused by Cisco.

I haven’t got any personal experience of the Fortinet, but their NOC view isn’t something the ASAs support without external software.

Cisco ASAs are widely acknowledged as industry standard, but the main reason we went for them is that’s what our IT support team are most familiar with.

03 October 17
Mark KariukiUser

i would recommend Fortigate because it has better features compared to Cisco which is at the moment trying to catch up with other vendors

03 October 17
Shahid RasoolUser

I will recommend him to go with Fortinet FG-100D-DBL .

03 October 17
Zaid FarooquiUser

both are ok as long as they meet your requirements which are unknown to us at the moment :)

however i don't think both these devices are capable to handle a load of 500 users..
get cisco 5545x with firepower or FG 400D with UTM bundle.

03 October 17
Alvin KhadarooUser

For 201-500 employees the below FWs might be undersized and have a performance issue.

However between Cisco & Fortinet, I will suggest Fortinet due to the flexibility in the Web Filtering side and Application control.

03 October 17
N Aveen NaiduUser

I would recommend Cisco ASA5516-X Over Fortigate.

03 October 17
DataDeptMgr674Real UserTOP 20

I prefer fortigate ease to manage and in NSS lab it’s top of the rack

03 October 17
Michael DeesConsultant

My answer is Fortigate. If you do perform a side-by-side feature comparison you will see that the Fortinet has many more features than the Cisco ASA+Firepower. Add to that the company’s Long-standing experience with unified threat management / next-generation firewalls and their price performance / lack of a “Cisco” tax and that they are consistently leaders in the Gartner “Magic Quadrant” for NGFW, this becomes an easy decision. Best of luck with this purchase and implementation.

03 October 17
Alexander KostovReal User

Actually Andreas is right. Depends on what the FW would be used for. Since those boxes are small, my guess would be that this would be used for internet facing, so I would recommend to check also the PaloAuto line. If it's for segregation I would go with the ASA and actually also check the Firepower 2110 box, since it's more future proof.

03 October 17
Archana KoulUser

Depends. ASA is just a next GEN firewall. But Fortinet is a UTM device. One box all solution.

Now if customer wants NGFW, we give ASA and if the customer wants UTM, we provide fortinet as solution.

Also ASA is on the expensiver side.

03 October 17
Raymo BiesheuvelUser

I work since 1991 with Watchguard
They have better security then Cisco, easy interface, nice reporting.
You can make VPN tunnels with all brands of firewalls and routers.
Mine advise will be a M470 or M570 with full security pack.
If not going for watchguard i choice for fortinet with fortiguard addon.

If you need more information or have questions about Watchguard you can always contact me.

03 October 17
Evgeny ShulgaReal User

Hi fore mi better option is Fortigate but try to seek the new ver of appliance.

03 October 17
Alvaro PicadoReal User

Thank you all for your answers and tips

03 October 17
Alvaro PicadoReal User

Hi, Andreas. Thanks for your answer. Which firewall do you recommend?

03 October 17

Cisco ASA 5516-X Security Appliance with FirePOWER

03 October 17
Cristian BraneaUser

CISCO ASA 5516-X with FirePower /services

03 October 17
Andreas BeudenConsultantTOP 20

It depends on the case. For segmentation you can use both.
For Network termination to internet i wouldnt use none of them.

03 October 17
Find out what your peers are saying about Cisco, Fortinet, Juniper and others in Firewalls. Updated: June 2019.
353,012 professionals have used our research since 2012.
Sign Up with Email