Fortinet, Palo Alto or Check Point?

356
40

Which is the best and why? Comparisons would be appreciated.

Anonymous avatar x30
Guest
As seen in
Logosasseenin

40 Answers

Ed002aed 918b 4329 9e9c 0d734ce0ab0a avatar
ramesh1923Real User

I have experience is all flavors mentioned here.

If you are thinking about the cost of the product , then go with Fortinet. Fortinet products are cheep when compare to PA or Checkpoint. Whereas the performance of the box is not mentioned on the datasheet. You have to rethink the value based real world traffic.

For stable network m opinion is PA or checkpoint. Both devices have certain their own features which may not be replace by other device.

I would you to consult with the SE who can understand your requirement and unique features required to your organization.

Like (0)04 October 17
56cd2610 e970 4efd be73 6cfa2212f9c3 avatar
Wilson Angulo C.Real UserTOP 20

my opinión : i think all vendors in security are great but i prefer FORTINET

Like (0)20 September 17
Anonymous avatar x30

My opinion about firewalls --> FORTI (FortiGate) is the best out of those 3:Fortinet, Palo Alto, Check Point.

Why? 1. Price (TCO), 2. Wide and complex functionality, 3. More userfriendly interface than ChPoint. Check Point is too expensive (my private opinion) compared with its functionality (the brand costs).

I haven’t got any experience with Palo Alto.

Like (0)24 July 17
Anonymous avatar x30

Having worked for Nokia and Check Point for eight years as a Senior S.E., and SonicWALL, and also being very familiar with Palo, Fortinet, Cisco & Sophos, I'd say it all comes to the customer's requirements.
When I was Director of Engineering at Intel for their FW/VPN, I asked marketing for the numbers of how much of our customer base was using the FW component of our product which was called and marketed a VPN. An astounding 48 per cent used the FW. I immediately had our gateway rebranded "Intel FW/VPN".
According to IDC we were number 2 of market share at 14% behind Bottle at 20%.
Unfortunately Intel bought our product as a "BB" (buy and bury). They took our code and put it on an ASIC chip and stamped it onto their NICks (network interface cards).
Being the director of engineering I was responsible for a good portion of that.

Like (0)21 July 17
Anonymous avatar x30

I can support on Fortinet Firewalls and its integration.

Like (0)20 July 17
7272edae 3893 400a b47c 6c082be6ae59 avatar

Best is subjective and I think there are many factors that could influence a decision.

Fortinet are generally less expensive but I have found their management and product splintering to be cumbersome, support is hit and miss and depends on the partner you work with. That said if you are on a budget it could be a good choice.

Palo have a good management platform, excellent firewalls and with the release of their new firewalls (820/50) have some cost effective solutions at the lower end, support is very good.

Checkpoint have a very good management platform, average firewalls with sometimes over complex configuration and from experience I would have to say awful support.

As always I would try to figure out what requirements and capabilities you are looking for, where the strengths and weaknesses of your security team lie and work from there. The solution should be built to fit your business requirements and budget.

Like (0)19 July 17
Anonymous avatar x30

I find Palo Alto being complex to deploy and complexity is the enemy of networking.

Checkpoint is good but I have not have much hands on experience with it.

Fortigate firewall is what I will recommend because of the below reason.

1.Fortinet offers the best support experience when you have issues.
2.The Fortiguard services offers regular updates to fortigate to keep it as secure as possible.
3.The fortigate is not a complex firewall to work with hence deployment is easy and clear.
4.Fortigate give more visibility on what is happening on the network and offers sandboxing on entry level devices to better protect the network from zero day threats.
5.Provides more flexibility when defining network policy eg you can use captive portal ,device identity or mac to ip binding to control access to the network and internet.
6.Fortinet always keep you up to date on the latest threats and how to proactively block them on the fortigate like experienced in recent threats like wannacry and Petya.

I hope this will help.

Like (0)19 July 17
0f856f41 22ea 4a40 ab75 624d792c5578 avatar?1442326546

If i were you,
I'll get the budget with PaloAlto and deploy with Fortigate 100D on HO , 30E on branches and Meraki Cloud Switches on branches.
So, you will cover from Layer 1 and 2 with Meraki Switch and Layer 3 - 7 with Frotigate. Win win solution.
Becasue PaloAlto cost will equal to combine with Fortigae + Meraki.

Like (0)19 July 17
Anonymous avatar x30

Hi,
I think Fortinet is the best because its WebUI is the most friendly. Palso Alto is also OK. Check Point seems to require more technical knowledge.
I am sorry that I cannot find a colleagure to help you because I am on a trip recently.

王兰芳

Like (0)19 July 17
Anonymous avatar x30

Hi,

In my opinion, there’s no clear winner between 3 of them.

They follow their perspective view of security, and in their perspective they are the winner.

If you need high throughput, Fortinet will be the best.

If you need more up to date or get as quick as possible for zero day attack, you could choose Check Point.

If you concern more to applications latency, Palo Alto is the right answer.

Although the differences in number between them is still debatable.

So If I choose my firewall, I will stick to the budget, purpose, and where it will be placed.

Regards,
-Nuki

Like (0)19 July 17
928cc9df b7f3 42f9 ad1b 78922f3387fa avatar
N IT In KumarReal UserTOP 10

Palo alto gives you a complete solution to secure all your perimeter starts with next generation firewall then wildfire then traps... everyone is secured.You have a visibility of all your traffic and user activity with the help of wildfire you get verdict in just 5 minutes time and if you have traps then Your endpoint secure. Palo alto have a autofocus with help of that we can see all the file verdict and activity.yes if we compare in the price then there is challenge.... it's up to you .In market alto is there and BMW also there but both have their own security standard..Palo alto networks not giving you a just a firewall it's giving you a full solution .

Like (0)19 July 17
Anonymous avatar x30

I will be installing Fortinet in a month or two. Palo Alto is excellent also, but I like the overall functionality/features and easy to use interface of Fortinet a bit better.
David

Like (0)18 July 17
Anonymous avatar x30

Hate to say it but, "It depends"

I prefer Palo Alto but it is the most expensive.

Main criteria is having the staff trained who can support and understand the features, which ever you select. Another consideration is how well your choice integrates with other security components (existing and planned) and applications. This was a BIG deal when my college went through the selection process.

Michael McKeever

Like (0)18 July 17
Anonymous avatar x30

Checkpoint

Like (0)18 July 17
Anonymous avatar x30

I have already used both Fortinet and Checkpoint in different ways though; fortinet as an appliance and Checkpoint as a software installed in a server.

The difference between the two solutions is huge:

It was tough to change the public IP Address of Checkpoint server as there was a need for mail exchange with Checkpoint to be authorized to change IP system

· Checkpoint solution did not have any IPS nor Antivirus solution integrated

· Checkpoint server did not have web filtering possibilities

· Checkpoint is strong and fast at analyzing and applying network rules to the data exchange between a server and different clients

· Fortinet as an applying is much easier to maintain

· Fortinet includes by default an IPS, antivirus and web filtering

· Fortinet does not have a storage disk for logs by default

Fortinet seems to me better than checkpoint and easier to maintain as it is an appliance. Checkpoint offers more possibilities in terms of configuration as you can use basic unix commands on the server.

I hope I have given some useful information about at least two firewall solutions.

All the best

Ob

Like (0)18 July 17
Anonymous avatar x30

I am most familiar with Checkpoint and if you have the budget I would recommend you give it serious consideration. In our organization, Checkpoint IPS is a vital part of our security strategy and provides very current protection against threats ie.. it can see into the traffic and block things like some of the crypto threats from entering your organization etc..

I have also had some exposure to Palo Alto and their tools for visibility into immediately occuring issues appears very good. On the "Free" side of things, I have worked quite a bit with PFSense which seems both easy to setup and maintain with basic firewall rules and OK but not great visibility into firewall transactions ie. What is happening right now. I have also used the "Untangle" firewall over time and really liked the fact that it would send a daily email of both activity (what workstations/devices did the previous day/week/month etc..) as well as some info about threats. Untangle is not on par with the other large systems mentioned already but it may been many of your needs if your budget is a challenge.

I would strongly urge you to consider a firewall in the context of an overall Security Strategy that involves various layers of security and is also tightly co-ordinated with your network design (having a DMZ etc)

Remember that your security strategy needs to be all about the layers:
Border Firewall needs to be beefy (Ram and CPU) and smart enough to handle current threats.

You need an email filter (spam firewall) which might be incorporated into your border firewall, we use barracuda for that as it is a specialized appliance for dealing with email threats.

You need to consider proxy capability so that outgoing web traffic is less likely to suffer from web attacks.

Reverse Proxy is important to protect any services you offer through the internet (webmail etc..) You might want to consider a big gun like F5, or using something built into a border firewall.

Network Intrusion is a tricky aspect of your security to manage. You should have some sort of SIEM or central logging and correlation system where all logs from every system accumulate (windows, Linux, Switches, Other appliances etc...) this system should analyze these logs in real time and give you information about correlated events, ie 100+ login attempts in over a minute for an admin account from a workstation that earlier logged a malware infection might indicate that that workstation didn't get protected properly by your anti malware. I believe the gold standard in this is SPLUNK but you better have a very large budget for this to use SPLUNK as it is licensed based on transactions. I have seen Manage Engine Event Log analyzer work very well for this as well (cheaper than SPLUNK by orders of magnitude).

Your antimalware system today needs to have the smarts to know if a process or executable is misbehaving so something that ties into global threat reputations, can stop behavior based malware and provides excellent reporting. You might Consider options like McAfee, Sophos, Carbon Black, there are a number of very good choices in this area.

Sorry for the very long reply but just asking for information on Firewalls without context of the rest of your solution makes it difficult to give you a meaningful reply.

Good luck with your quest!

VIC
=+=

Like (0)18 July 17
Anonymous avatar x30

We are using fortinet 201e for Small enterprise which is best in the market and cheaper than others

Palo Alto is for very large enterprise companies and mover expensive no local support in medal east 

Never heard about Check Point

Like (0)18 July 17
Anonymous avatar x30

I find Palo Alto being complex to deploy and complexity is the enemy of networking.

Check Point is good but I have not have much hands on experience with it.

Fortigate firewall is what I will recommend because of the below reason.

1.Fortinet offers the best support experience when you have issues.

2.The Fortiguard services offers regular updates to fortigate to keep it as secure as possible.

3.The fortigate is not a complex firewall to work with hence deployment is easy and clear.

4.Fortigate give more visibility on what is happening on the network and offers sandboxing on entry level devices to better protect the network from zero day threats.

5.Provides more flexibility when defining network policy eg you can use captive portal ,device identity or mac to ip binding to control access to the network and internet.

6.Fortinet always keep you up to date on the latest threats and how to proactively block them on the fortigate like experienced in recent threats like wannacry and Petya.

I hope this will help.

Like (0)18 July 17
Anonymous avatar x30

Fortinet antivirus is par to none. All of the top vendors listed use another vendors antivirus. The first week we configured our fortigates we caught a ransomeware virus that was embedded in a yahoo email. We were able to see where and who tried to open the email and remoted into the computer to verify it. NSS Labs as well as others can help give some perspective into how the products work. I was a little hesitant at first to turn on most of the features (url filtering included) but knew that these firewalls had enough power to handle the load. We have an HA pair and updates are a breeze, no downtime. We have a sandbox and log fortianalyzer that actually works with the fortigates. These also have built in DDOS filters that prevented an attack on its own. This gives you great insite into who is trying to test your vulnerabilities and support can use this to help you block them in the future.

Like (0)18 July 17
Anonymous avatar x30

I have never used either Palo Alto or Check Point, but the fortigate is a pretty good firewall, easy to setup and maintain.

Like (0)18 July 17
Andrew s baker asb lion li?1414332400

You really need to understand what the budget and objectives are. All of the firewalls mentioned above have their strengths and their advocates. I personally prefer Fortigate because they provide substantial functionality at very good price points, and that for the most part, once you learn the UI, you can manage the entire family of products.

Also, very few products have both a useful GUI and solid CLI to satisfy people who prefer either option, or just need to make a known change quickly in multiple places or devices.

It all comes down to what environment, cost, budget and support you have. But I tend to recommend Fortinet more often than not.

-ASB

Like (0)18 July 17
2dcd6a97 537c 4aae 9d0a 1ae4e7c6d098 avatar
Ken SharpReseller

I already rule out Palo Alto, after trying to configure one for FireMon syslog reporting. You have to enable a syslog repeater, then configure for every single rule. CheckPoints seem most secure, but more difficult to configure than zone-based Junipers. I've only dealt with a few Fortigates, but they seem more limited in function than the CheckPoints and Junipers.

Like (0)18 July 17
Ecc6c696 e3e3 4195 8322 997a1a61bea5 avatar
Mitch ShanleyReal UserTOP 10

I recently evaluated all of these as we were deciding to either upgrade and renew PaloAlto or change to another vendor. Protection was the leading factor. PaloAlto beat all the others if you turn on all the reatime protections. Check Gartner Magic Quadrant.
We compared Checkpoint, Cisco, Fortinet and 1 or 2 others with PaloAlto. We ended up going back to Palo Alto as we could not afford to have even one breach.

Like (0)18 July 17
Anonymous avatar x30
Hamza_FarhanReal User

I would recommend Fortigate over Check-point and Palo Alto for these reasons :

1. You can almost same features with lower price for both hardware and support / license
2. Checkpoint is most expensive firewall among these listed above. Not only this, it is the most complex firewall in terms of configurations, design and troubleshooting. To manage a firewall, you need management server. You can have the management running on your gateway (firewall) but you can expect some performance issues there. Plus, all features with management server are NOT free, you have to pay to use them. Where with Fortigate, with few clicks, you ready to go.
3.NSS Lab report showing that Fortigate is capable to block many attacks over Check-point and Palo Alto and this something you might need to take in consideration as the main idea of having such device is to protect your network.

Like (0)18 July 17
Ced7fc90 c30f 493b 8624 32b80dc6c689 avatar?1455551175
John CrabtreeReal UserTOP 5

Are you limiting the results are a specific reason?

The larger question here is what do they need? There is no one best, each one has a good pro and con list to compare. (do they need web filtering, geo ip blocking, layer 7 filtering, detail qos control, redundant link fail over, load balancing, client access, reports, automated reports, etc) There are a lot of open questions that can help anyone tailor what would be best to use.

My personal experience with those mentioned is to go with Palo Alto. It has a good rock solid and stable OS and can be configured to most anything your client would need.
Fortinet’s: The OS has many issues with memory even when you over spec the unit. You will find yourself having to restart it pretty often. It does have a decent configuration gui. (My personal opinion unless it’s a OS/Firmware upgrade the unit should never need rebooted).
Check Point: At least the units I have had the wonderful time working with, have been very “finicky”, granted the last one I seen was about two years ago now, which imo is a good thing. I was not impressed.

Firewalls I did not see mentioned Cisco ASA/Firepower, Cisco Meraki, SonicWall, PFSense, Adtran.
I do like the Cisco Units, though not for the faint of heart. Even the new ones you will find yourself in the shell often. That said there is a reason that most Datacenters use them, they have been around a long time and know how to build a good product.

Meraki: These have surprised me. They are as good as the Palo Alto FWs and the recent (time is relative) acquisition of OpenDNS/Umbrella into their security stack is a good blend. Easy to configure, A good option if the client will be in the FW making changes. When Paired with other Meraki units the Single Pane of Glass configuration is a plus. The Reporting is a nice feature with the ability to alert on. The Layer 7 Filtering and QOS is super well thought out. Really, really easy to configure. I can walk most anyone through a setup.

SonicWall: Just mentioning their name gives me headaches. Even after Dell purchased them the product isn’t any better again just my opinion. They are easy to setup, and that is all I will give them.

PFSense: I love OpenSource products, PFSense has a good plugin list and is easy to make your own. It is not for everyone. The recent last few firmware/OS upgrades introduced a better gui interface. Rock Solid (as long as you have good hardware.) They just work. You will however need to know the product well. Some configuration places can be confusing. Such as setting up Traffic Shaping is not as simple as in the others, “in a click of a button”.

Adtran: Adtran does not get mentioned enough. These units are good and do exactly what they are told. Never have to be rebooted unless you upgrading the firmware/os on the units. They are fast and as the phrase goes “they just work”. The GUI is still a little dated when compared to others in the market, Once you get use to it though your golden. The Shell is near identical to the Cisco, so for Cisco guys it’s an easy go between. They started out as a Voice vendor product, as you know voice is never allowed to go down and that is how their switches, routers, etc are.

So to recap: It depends on what you want to do.

In your original list, The Palo Alto is the winner.

If you want to Expand it to the larger list I would say the Meraki if you want a good gui experience and support.

If you just want it to work with a ton of no extra cost add-ons the PFSense is the next option if you’re willing to put the effort into learning it inside and out, which only the hardcore guys seem to do.

Like (0)18 July 17
Anonymous avatar x30
TeresaReal User

Hi,
It's very hard to compare brand name of firewalls and you did not clarify specific models. Normally, an IT is often using a firewall and suggest that brand name. Actually, it will depend on what bundle of service you choose in each brand name of firewall. Of course, Palo Alto - it's worth it.
My suggestion is base on your requirement of security and your budget, then read the specs of each brand name and choose whether the firewall is right to your network.

Like (1)18 July 17
Ced7fc90 c30f 493b 8624 32b80dc6c689 avatar?1455551175
John CrabtreeReal UserTOP 5

Are you limiting the results are a specific reason?

The larger question here is what do they need? There is no one best, each one has a good pro and con list to compare. (do they need web filtering, geo ip blocking, layer 7 filtering, detail qos control, redundant link fail over, load balancing, client access, reports, automated reports, etc) There are a lot of open questions that can help anyone tailor what would be best to use.

My personal experience with those mentioned is to go with Palo Alto. It has a good rock solid and stable OS and can be configured to most anything your client would need.
Fortinet's: The OS has many issues with memory even when you over spec the unit. You will find yourself having to restart it pretty often. It does have a decent configuration gui. (My personal opinion unless it's a OS/Firmware upgrade the unit should never need rebooted).
Check Point: At least the units I have had the wonderful time working with, have been very "finicky", granted the last one I seen was about two years ago now, which imo is a good thing. I was not impressed.

Firewalls I did not see mentioned Cisco ASA/Firepower, Cisco Meraki, SonicWall, PFSense, Adtran.
I do like the Cisco Units, though not for the faint of heart. Even the new ones you will find yourself in the shell often. That said there is a reason that most Datacenters use them, they have been around a long time and know how to build a good product.

Meraki: These have surprised me. They are as good as the Palo Alto FWs and the recent (time is relative) acquisition of OpenDNS/Umbrella into their security stack is a good blend. Easy to configure, A good option if the client will be in the FW making changes. When Paired with other Meraki units the Single Pane of Glass configuration is a plus. The Reporting is a nice feature with the ability to alert on. The Layer 7 Filtering and QOS is super well thought out. Really, really easy to configure. I can walk most anyone through a setup.

SonicWall: Just mentioning their name gives me headaches. Even after Dell purchased them the product isn't any better again just my opinion. They are easy to setup, and that is all I will give them.

PFSense: I love OpenSource products, PFSense has a good plugin list and is easy to make your own. It is not for everyone. The recent last few firmware/OS upgrades introduced a better gui interface. Rock Solid (as long as you have good hardware.) They just work. You will however need to know the product well. Some configuration places can be confusing. Such as setting up Traffic Shaping is not as simple as in the others, "in a click of a button".

Adtran: Adtran does not get mentioned enough. These units are good and do exactly what they are told. Never have to be rebooted unless you upgrading the firmware/os on the units. They are fast and as the phrase goes "they just work". The GUI is still a little dated when compared to others in the market, Once you get use to it though your golden. The Shell is near identical to the Cisco, so for Cisco guys it's an easy go between. They started out as a Voice vendor product, as you know voice is never allowed to go down and that is how their switches, routers, etc are.

So to recap: It depends on what you want to do.

In your original list, The Palo Alto is the winner.

If you want to Expand it to the larger list I would say the Meraki if you want a good gui experience and support.

If you just want it to work with a ton of no extra cost add-ons the PFSense is the next option if you're willing to put the effort into learning it inside and out, which only the hardcore guys seem to do.

Like (1)18 July 17
Anonymous avatar x30

They can google the comparison. That’s what I did. Fortinet is definitely better than those mentioned.

Like (0)18 July 17
D8e83adf 52ab 4855 abdf f294fd5d7f5f avatar
NickDakoroniasReal UserTOP 20

Hi,

The attached revised Gartner Report –published on July 10th, 2017- subjected the Enterprise Network Firewalls trade-offs (including the 3 brands requested),
can help our colleague to find the answers within objective context and make his conclusions.

Rgds,

Like (0)18 July 17
Anonymous avatar x30

We use Fortinet and Juniper. In Small and Mid-Range we replace Juniper with Fortinet. The administration is easier. JunOS is great but you must read and learn a lot and the fortinet web-gui is better. For administrators with lower skills the Fortinet is better. But you must learn and work with all products. You must know the appliances and the features from your appliance to build a secure infrastructure. Fortinet has solutions from iot, firewall, wifi, mail, web, dos, siem, analyzer, manager, sandbox, endpoint protection to cloud. So we can use it for our solutions and we have a consolidated administration.

Like (0)18 July 17
Anonymous avatar x30

I would advise they consider reviewing the NSS Labs Next Generation
Firewall (NGFW) Security Value Map 2017 where they can take into
consideration the Total Cost of ownership per protected Mbps vs security
effectiveness of the products.

https://www.nsslabs.com/research-advisory/security-value-maps/2017/ngfw-svm-graphic/

I have also attached the 2016 findings.

Kind regards,
Belinda

Like (0)18 July 17
52b84604 4fad 4d47 b3a9 7f286b21de76 avatar
Matthew TitcombeConsultantTOP 5

I have worked on PA, CP, & Fortinet. I found Fortinet to be the most capable and best common interface for overall usage. As stated above, I found PA's to be overpriced for what they give you. Based on my monitoring this sector, CP & PA are trying ot catch up to Fortinet's and Cisco's ecosystem approaches. Cisco's Ecosystem, since I brought it up, still requires a user to know too many different interfaces and leads to configuration issues.

My recommendation is Fortinet.

Like (1)18 July 17
0f856f41 22ea 4a40 ab75 624d792c5578 avatar?1442326546

1. Base on the budget and network size.
2. Palo Alto with WildFire is very good but it comes with price.
3. Fortigate and Palo Alto is similar to manage and concept.
4. Check Point skills firewall admin is not that easy to find and also didn't lead the market.

Like (0)18 July 17
Anonymous avatar x30

Yes, we are planning to purchase Palo Alto 3020, 820 & 220 firewalls for our Head Office and Branch Offices. Can you please share the Comparisons among Fortinet, Palo Alto & Check Point?

Regards,

Ghayur Abbas

Like (0)18 July 17
Anonymous avatar x30

FortiNet

Like (0)18 July 17
Anonymous avatar x30

Hello all;
My advice is Check Point, because the best solition of IPS IDS is CheckPoint.

Like (0)18 July 17
Anonymous avatar x30

Hi,

can’t say much about Check Point or Palo Alto. Fortinet was ok, but we moved to Cyberoam vUTM which is more scalable, cheaper, and has HA.

Vytautas

Like (0)18 July 17
Anonymous avatar x30

Hi,

Check Point is the best. Awesome product. Visibility, security and user friendly. Of course don’t forget, Check Point has the best support team in the world. But the product is expensive.

Fortinet is good but if you want to more security and more visibility, choose Check Point. Fortinet is grooving. I like Fortinet because of the cost.

Palo Alto is just scrap. They stole firewall software from Juniper. And it is not a cheap product. In my opinion, forget Palo Alto.

Like (0)18 July 17
Anonymous avatar x30

Hi,

It depends on their requirements. Each solution adds a different layer of value.

Like (0)18 July 17
E6515ef9 5e58 4f37 a814 31f6f8a036b2 avatar
Renato PereiraReal UserTOP 20POPULAR

Fortinet

Like (0)18 July 17
As seen in
Logosasseenin

Sign Up with Email