Performance comparison between Cisco Firepower and FortiGate - Which is better?
The short answer is it depends on what you are looking for.
FortiGates are great devices. The offer lots of features, decent and friendly UI and overall good performance, and they do it cheaper than most others. Security features and UTM are pretty good too. However, from my experience, beware of dimensioning, if you're planning to activate several of the features a FG supports (AV, IPS, WLAN Controller and such), performance can drop substantially and cause all kinds of failures, so it might be a good idea to over-dimension your hardware a bit to avoid issues.
On the other hand, I've found Cisco to be the most stable and reliable, and offer better performance of the two. They also offer better protection and Cisco Support is the best IMO. However the prices of Cisco are often higher than other vendors. ASAs are more complex so there will be a steeper learning curve for you to get going with these and the GUI (ASDM) is lacking compared to others so knowing (and loving) the CLI is a must.
In summary, go Fortinet if you're looking for decent performance, great security and easy administration at lower prices. go Cisco if you require better security, performance and reliability, and don't mind paying a little extra and spending a few more hours learning to handle them.
Hope this helps. Regards.
With a fraction of the cost , the FortiGate3600C vs. Cisco ASA5585-XSSP60 is an example of how Fortinet beats Cisco in price/performance, capacity and overall security.
To answer your question, let me ask a question first? What's your main target? Security first or Money First? In my point of view and based on my real experience:
- Fortinet is good if you need an appliance with many features such as: antispam, antivirus, url filtering, app control, firewall. It's all-in-one solution --> Fortinet is easy to use and maintanance. But its perfomance is not so good as show on datasheet, if you turn-on IPS, the performance decreases for about 40-50%, and so on... I see a bit of my customer turn-on this feature because of its reliable. For support service, Fortinet response is poor,
- Cisco Firepower: its performance is good, if you purchase all-in-one license, you will also have features like URL Filtering, App Control, IPS. The most interesting part is AMP feature, I think it better than Fortinet product. You can view gartner report about AMP. Sourcefire has many cool features such as traffic profiling, correlation, remediation, auto discovery (host, application, user). It also has IPS auto learning feature and can help to auto tunning/ apply appropriate signatures for your application. It also has DNS security feature (using OpenDNS) to help to mitigate botnet, other features like IP Intelligence, C&C, Phishing, Spam Source... For support service, Cisco is better, with faster response time and also escalate time when your issue is very critical. Forgot to mention, Firepower can do DPI-SSL inspection, and if your infrastructure has F5, it will better to get SSL Offload to F5 and get packet inspection by Firepower, it's a good combination.
So in conclusion, if you want best in price product, you can choose Cisco. If money is a big problem, Fortinet is a choice. Also Cisco has many products that can suitable for your environment (from Firepower 2000 series to 8000 series)
I see a lot of these "vendor vs vendor" questions, when it really should be a question of "solution for this size network from vendor A vs vendor B".
Cisco Next Generation firewalls use behavioral based algorithms to perform deep packet inspection. To be fair, most Next Generation firewalls have the ability to identify malicious traffic patterns. However, Cisco Open DNS is a great way to protect organizations from Ransomeware, botnets and remote access trojans. The solution is cloud based, scalable and easy to use. Cisco Open DNS blocks access to malicious websites and other compromised systems.
I would recommend Fortigate. It is easier to manage and the services which offered as UTM Bundle for IPS, AV, Anti-Spam services are excellent and it is a layer-7 firewall with very granular control of your network. The diagnose feature, packet capture and troubleshooting feature of fortigate firewall is also the best. However Cisco ASA comparitively achieves the IPS functionality through Sourcefire. The upgrade of Sourcefire takes years (Time is pretty long to do the upgrade from one version to another and it is GB sizes for a small upgrade) also the management and operational is quiet challenge in Cisco Firepower. there are alot to say for this. My choice ofcourse would be Fortinet .
It’s tough to give a comparison without knowing what I’m comparing it with. Is there a specific Cisco Firepower model you were looking at ?
When it comes to performance between 2 vendors there are always models which can match that of the other given they stay within budget.
Based on Gartner Magic Quadrant and other third party evaluations. Fortinet' Fortigate consistently outperforms Cisco's Firepower. When sizing the box for performance, I would get Fortinet directly involved so you don't accidentally purchase an underpowered firewall.
Fortigate is better...
cisco is better on performance because it use the physical CPU that FORTINET , the last use ASIC.
which models of Fortigates and Firepower, if the throughput and performance for the features used are comparable then it also depend how the features are used. Using all the UTM features on all traffic/all policies will slowdown the performance to some extent.
Fortigates are good with number of features enabled at the same time, on most of the traffic. Try avoiding unwanted UTM profiles on trusted traffic (eg. any inter-server traffic streams ) to improve overall performances of the box.
I think you would have to state what your goals in asking for a solution are, if neither meet your requirements then 'better' is a moot point. Understanding what you want from a solution should tell you which solution best meets your business requirements.
Fortinet FortiGate is a better choice looking at perfomance, fortigate uses purpose-built security processors drastically boosting performance and scalability to enable the fastest network security appliance. FortiGate uses FortiAsics and these security processors are used to scale from 1 Gbps to 1 Tbps of firewall throughput independent of packet size. This technology offers the ability to run multiple security applications without degradation in performance.
However if you're planing of using AV, Email Filter, App Ctrl, IPS, WLAN Controller and more, then you should really consider having a rightly spec appliance to prevent performance issues since IPS demands high processor usage.
The Fortigate was built from the ground up as a next gen security device while the the ASA adds license features on top of its build to try to keep up with the changing security landscape, with the Firepower purchase being the latest.
Are you comfortable in the CLI? You need to be for any Cisco device.
When it comes to cost, we were able to buy two Fortigates for less than the price of one comparable ASA and setup redundancy.
The ASA is a better overall networking/VPN device trying to improve its security, while the Fortinet is a security device trying to improve its networking. As firepower develops and improves, I think the ASA will be the better overall solution. Right now, the Fortinet is ahead with more mature overall security features, but is limited with overall networking features.
I think you should look at SonicWALL'S new code 18.104.22.168-25n, it is more powerful than its competitors and also can do DPI-SSL which is the need of the hour. The Content Filtering features are simply phenomenal