Main Nav

Hello:

 

My institution is currently reviewing its firewall strategy with the aim of upgrading/replacing our current firewall infrastructure.   We are currently a Checkpoint shop, with devices providing both Advanced Networking and firewalling (UTM) capabilities.  We recently met with reps from Palo Alto and Fortinet and on the surface they both seem to provide viable, possibly even cheaper alternatives.   I just wanted to hear from the group of any experiences with Palo Alto and/or Fortinet to help us in our decision making.   We currently have a combination of CP 9075s, 5075s and 576s deployed at our main and satellite campuses.

 

Thanks

 

Allan Nelson

Manager, Security and Governance

University of Trinidad and Tobago

 

 

 

Help save paper! Do you really need to print this email? This e-mail (including any attachments) is intended for the sole use of the recipient/s to whom it is addressed and may contain material that is PRIVATE AND CONFIDENTIAL. It is the property of UTT in which all rights are reserved except where otherwise indicated. If you are not the intended recipient, please be advised that unauthorized use, disclosure, dissemination, reproduction, distribution of, or taking any action in reliance on the contents of this e-mail is STRICTLY PROHIBITED AND MAY BE UNLAWFUL. If you are not the intended recipient, please contact the sender by e-mail and delete all copies thereof. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Neither the sender nor UTT accepts any liability for damage of any kind resulting from risks which are inherent in the electronic transmission of messages.

Comments

Message from educause-lists@nathanielhall.com

Hi Allan. I might be able to provide a little information for you on this topic. I want to be up front though, I work for a vendor who sells all three of these products. That said, I spent 6 years managing a Check Point infrastructure for a college, 18 months managing a Fortinet infrastructure for a power company, and another year managing Palo Alto in my own home. I've also been consulting on Check Point and Palo Alto for the last 18 months. This is my own personal opinion and not that of my company. My favorite of the three is Palo Alto. They have some growing up to do, but I believe they are making great strides, especially in the newer versions. I often find that the system works with few issues. The only real issue I have had with the system is in respect to system load. Randomly my PA-200 will become very slow on the management side. The data side seems to continue just fine. I believe it is because I am running a lot of different features on such a small box. Under normal use, the system is great. Troubleshooting the system can occasionally be a pain, but it is nothing compared to Check Point. On the other hand (and again, my personal opinion) Fortinet severely lacks. I have not tried the newer software, but I know on the 30+ devices I was using in the past, they were always overloaded even though the devices were rated for significantly more traffic than was passing through the system. We were always having firewall related issues of some sort or another. I have a brand new FortiWiFI 60C sitting on my desk waiting for testing, but I haven't gotten to it yet. Maybe it will change my mind. As far as Check Point, they definitely have their place and once they are up and running they continue running. My biggest three issues with Check Point is with upgrades, feature changes, and troubleshooting. Upgrades are a serious pain in the rear. There are a lot of things that have to be manually upgraded or migrated to new hardware because the upgrade process doesn't do it for you. They will change how things work from version to version, which may cause issues. (AD replication negotiation immediately comes to mind). Lastly, troubleshooting is a big pain because traffic is processed in so many different ways that it becomes difficult to figure out. I was recently dealing with what should have been a simple fix, but it took Check Point themselves nearly 3 months to figure it out. On the plus side, Check Point has a great management dashboard and is a good system for non-techies since they probably won't be doing their own troubleshooting anyway. Those are just my opinions on each. All have their pros and cons though. -- Nathaniel Hall GSEC GCFW GCIA GCIH GCFA CNSE On 11/1/2013 5:05 PM, Allan Nelson wrote: > > Hello: > > My institution is currently reviewing its firewall strategy with the > aim of upgrading/replacing our current firewall infrastructure. We are > currently a Checkpoint shop, with devices providing both Advanced > Networking and firewalling (UTM) capabilities. We recently met with > reps from Palo Alto and Fortinet and on the surface they both seem to > provide viable, possibly even cheaper alternatives. I just wanted to > hear from the group of any experiences with Palo Alto and/or Fortinet > to help us in our decision making. We currently have a combination > of CP 9075s, 5075s and 576s deployed at our main and satellite campuses. > > Thanks > > Allan Nelson > > Manager, Security and Governance > > University of Trinidad and Tobago >

We ran through this exercise last year and went with Palo Alto.  So far, they have worked well.

 

Allan,

Earlier this year we went thru a bake-off and RFP process for replacing our Internet firewalls.  I'm certain that the vendors hated going thru the 144-point evaluation, but it made a clear and level playing field.  We selected Palo Alto from our responding manufacturers (Cisco, Juniper, Dell, HP, Fortinet) and have been *extremely* satisfied with the featureset, functionality, and performance of the device.

Kevin Hayes, CISSP
Information Security Officer
Computing & Information Technology
Wayne State University
313-577-3454
krhayes@wayne.edu



From: "Allan Nelson" <allan.nelson@UTT.EDU.TT>
To: SECURITY@LISTSERV.EDUCAUSE.EDU
Sent: Friday, November 1, 2013 6:05:38 PM
Subject: [SECURITY] Checkpoint Vs. Palo Alto Vs. Fortinet

Hello:

 

My institution is currently reviewing its firewall strategy with the aim of upgrading/replacing our current firewall infrastructure.   We are currently a Checkpoint shop, with devices providing both Advanced Networking and firewalling (UTM) capabilities.  We recently met with reps from Palo Alto and Fortinet and on the surface they both seem to provide viable, possibly even cheaper alternatives.   I just wanted to hear from the group of any experiences with Palo Alto and/or Fortinet to help us in our decision making.   We currently have a combination of CP 9075s, 5075s and 576s deployed at our main and satellite campuses.

 

Thanks

 

Allan Nelson

Manager, Security and Governance

University of Trinidad and Tobago

 

 

 

Help save paper! Do you really need to print this email? This e-mail (including any attachments) is intended for the sole use of the recipient/s to whom it is addressed and may contain material that is PRIVATE AND CONFIDENTIAL. It is the property of UTT in which all rights are reserved except where otherwise indicated. If you are not the intended recipient, please be advised that unauthorized use, disclosure, dissemination, reproduction, distribution of, or taking any action in reliance on the contents of this e-mail is STRICTLY PROHIBITED AND MAY BE UNLAWFUL. If you are not the intended recipient, please contact the sender by e-mail and delete all copies thereof. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Neither the sender nor UTT accepts any liability for damage of any kind resulting from risks which are inherent in the electronic transmission of messages.

I'd have to say we have been pretty happy with our selection of Palo Alto as well.

steve


I was an early adopter of Palo Alto (previously long-term FW-1 customer). The L7 functionality and threat prevention were "different" to get used to. We still have to explain to vendors looking to connect systems here that "port 80" doesn't necessarily mean "http". But last night, PA upgraded the threat prevention to deal with new zero day TIF vulnerability in Microsoft products. That gives that extra layer while we wait for Microsoft to respond .. again. -Brian ________________________________________ From: The EDUCAUSE Security Constituent Group Listserv [SECURITY@LISTSERV.EDUCAUSE.EDU] on behalf of Bradley, Stephen [bradlesw@MIAMIOH.EDU] Sent: Monday, November 04, 2013 10:18 AM To: SECURITY@LISTSERV.EDUCAUSE.EDU Subject: Re: [SECURITY] Checkpoint Vs. Palo Alto Vs. Fortinet I'd have to say we have been pretty happy with our selection of Palo Alto as well. steve
Close
Close


Annual Conference
September 29–October 2
View Proceedings

Events for all Levels and Interests

Whether you're looking for a conference to attend face-to-face to connect with peers, or for an online event for team professional development, see what's upcoming.

Close

Digital Badges
Member recognition effort
Earn yours >

Career Center


Leadership and Management Programs

EDUCAUSE Institute
Project Management

 

 

Jump Start Your Career Growth

Explore EDUCAUSE professional development opportunities that match your career aspirations and desired level of time investment through our interactive online guide.

 

Close
EDUCAUSE organizes its efforts around three IT Focus Areas

 

 

Join These Programs If Your Focus Is

Close

Get on the Higher Ed IT Map

Employees of EDUCAUSE member institutions and organizations are invited to create individual profiles.
 

 

Close

2014 Strategic Priorities

  • Building the Profession
  • IT as a Game Changer
  • Foundations


Learn More >

Uncommon Thinking for the Common Good™

EDUCAUSE is the foremost community of higher education IT leaders and professionals.