Fortinet Fortigate UTM vs Palo Alto Networks Next-Generation Firewall – Line of product and Business

On the last weeks, I worked with Palo Alto Networks and Fortinet solutions. I’d like to do a small feedback on those boxes. Initially I was willing to do one blog article to do the comparison… But after one or two days, I feel that I should split it in multiple small ones. So let’s start with the line of product.

Line of product

Fortinet has SMB products and Palo Alto can’t compete on this market. For example the 30D (smaller Fortinet product) has a listed price of $388 ($601 with 1 year subscription). The first Palo Alto FW is the PA-200 listed as $2000 and the yearly subscription for this FW is $450. Both companies have mid-range to high-end solution and VM solution.

Both companies have a chassis solution. I did not test Palo Alto chassis but I was not really convinced by Fortinet solution. Fortinet use old ASICs (NP4 and SP2) which mean no support for IPv6 for example. And a lot of Features are not load balanced inside the Chassis.


My understanding is that Fortinet is selling more boxes and Palo Alto is doing more revenue. For a partner working mainly in the SMB market, there is no point of working with Palo Alto Networks.
For partners working with service provider or big entreprise, the choice could be done more freely.


That’s where Fortinet outperform Palo Alto. Palo Alto has the well-defensed reputation of being expensive and I’ve got a  customer who ran a performance test with IXIA between a Palo Alto 5050 and a Fortinet 1500D (more or less half the price of the PA-5050).

The main test was with 6000 rules configured.

On the Fortigate, we start to reach the limit with 10Gb/s of traffic with 65k TCP session per second and 115k UDP session per second. In this situation, the box was able to manage 9Gb/s of traffic and to manage 38k TCP sessions per second and 55k UDP sessions per second.

On the Palo Alto, we start to reach the limit with 10Gb/s of traffic with 10k TCP session per second and 12k UDP session per second. In this situation, the box is not able to maintain a constant number of TCP or UDP session per second and limit the traffic at 3Gb/s.

Posted in Comparison, Fortinet, Marketing, Palo Alto | Tagged , , , , | Leave a comment

Difference between IOS, IOS XE and IOS XR

I’ve been working with ASR9k for some time. Even if the ASR9k is a Cisco router, it does not use IOS but IOS XR. IOS XR is a specific software that is available on ASR9k, Cisco 12k and CRS-1.

Currently there is three types of software on Cisco Routers. The classical IOS, the IOS XE and the IOS XR.

Classical IOS is on the market for a long time. I start to work with IOS version 10 on Cisco 2500 routers. You will find this IOS on entry level routers like ISR or Enterprise switches like 6500 or 3750. This IOS is a monolythic OS. That means that all the features are in one file and if one function on the system fail most likely all the system fail. Also that mean that if you want to upgrade the Operating System, you need to reboot the system.

IOS XE is a software available for the ASR1K. In fact, in my point of view, it’s like having a Linux with a IOS interface. All the IOS functions are provided by a daemon called IOSD. It is the same interface that the IOS with some minor changes like on the debugs… You could even have access to the Linux interface by typing :

request platform software system shell r0

A good book to start with IOS XE is Building Service-Aware Networks written by Muhammad Afaq Khan.

IOS XR is a Carrier Class IOS, the goal is to provide a more stable solution with process mirroring and advanced features. The interface is really different from the classical IOS. For example when you do change on the configuration, you need to validate the changes with a “commit”. It is pretty good because you could multiple changes and the activate all the changes in one command. Also, that allow you to decide when the changes will be activated. And finally, you’ve got the option to roll back the changes. On the configuration side, instead of having the configuration grouped by interface, it is grouped by process… So you’ve got all together, the OSPF config or the PIM config, instead of having a part of the configuration on the interface and a part of the configuration at the process level.

To start with IOS XR, I recommended Cisco IOS XR Fundamentals by Mobeen Tahir, Mark Ghattas, Dawit Birhanu et Syed Natif Nawaz.

Posted in Cisco | Tagged , , , | 1 Comment


By request from Nassim in Algeria, a non-technical post on MPLS.

There is multiple ways to use MPLS: Basic MPLS, MPLS-TE, MPLS-VPN, Multicast over MPLS.

The goal of Basic MPLS was to improve packet switching in a network. You could use basic MPLS in an Enterprise Network or in a Provider Network. With MPLS, instead of looking for the IP destination on each router, the first router will decide the path across the network, the other routers will only switch the packet. A path is called a Label Switch Path (LSP).

How it works? Well first, you need a routing protocol (IGP). This IGP, typically IS-IS or OSPF, will synchronize and allow each router to have a complete routing table in memory.

Let’s take a simple network with only two networks (A and B) represented in the routing tables :

Only 2 networks a and B will be used for this demo.

So the IGP will established a routing table in each router :

Basic network after IGP synchronization

The LDP process defines label values for each destination in the routing table. Labels are locally significant. That means significant only for the router that originate those labels.

LDP defines labels

The LDP process exchange the label values between the neighbors at the end of the exchange, we will have this status for LDP information :

LDP Synchronization

Based on the routing table and the LDP table, the routers will established the LSP. For example, R1 knows that B is in the direction of R2 and knows that R2 wants 37 as a label for B. So if R1 needs to send a packet to B. It will impose the label (add the label) 37 and send it to R2.

R3, using the same demonstration, will send a packet destinated to B, to R4 with label 25. But also, R3 knows that other routers will send packets destinated to network B to him with label 25 (it is the same but it could have been different.). So if it receive a packet with label 25, it should switch the label from 25 to 25 and send it to R4 .

Each router will do the same process. At the end to go from A to B, we’ll have :

R5 at the end will pop (remove) the label. When R1 will need to send a packet to B, it will be able to select an LSP up to R5. In fact, R1 will add a label (37) on the packet and send it to R2. R2 will not look at layer 3 information but just swith label to pass it to R3 and so on… In fact, I didn’t explain Penultimate Hop Popping. I might explain it in a future post.

This way of doing MPLS is deprecated. Most service providers want to use MPLS-TE instead. With MPLS-TE, you’ve got more control on the path inside the network and you could do some bandwidth reservation. Also doing basic IP routing is not really common on a MPLS network. People want to use application on top of it, like MPLS-VPN or Multicast over MPLS. But that’s the beginning of the MPLS  explanation. Version française.

Posted in MPLS | Tagged , , , | 1 Comment


Data Center using Fibre Channel over Ethernet

I was in Almaty, Kazakhstan doing a training on FCoE and I’ve got some questions on the adoption of FCoE technology. Should we move? When? Why?

Fibre Channel over Ethernet is a technology that allow connection to a Fibre Channel SAN across an Ethernet network. The technology is quite new and has a lot of requirements.
The requirement on the server is a Converge Network Adapter (CNA). The CNA is a card that will have Fibre Channel and Ethernet capabilities. Most of the models, I’ve seen, have 2 10G Ethernet ports. Multiple types exist. For the high end server, you need a CNA that will process the Fibre Channel protocol on the hardware card. For the low end Servers, you could use card like the Intel Oplin 10G Ethernet card where you could process the Fibre Channel on the Operating System.

Converge Network Adapter

Currently not all 10 G Ethernet card have Fibre Channel capabilities. It may require upgrade of the driver or change of the network card.

On the Ethernet Network, you will need to support Data Center Bridging protocols. On the design side, it is recommended that the FCoE network is limited to a part of your Data Center. With the solutions I’ve seen, you don’t have the possibility to do FCoE over the WAN. Even, Multihop FcoE is really limited. All the equipments in your FCoE network need to support FCoE.

The advantage of FCoE is to limit the number of network equipments per row. Instead of having, 2 Ethernet switches and 2 Fibre Channel Fabric, you could have only 2 FCoE equipments. It will allow better integration of your SAN and LAN. And it will lower your cabling, your power and cooling requirements.

Currently, on the standard side, there is some weakness. Data Center Bridging standardization at the IEEE takes some time and interconnection of multiple vendor solution is said to be difficult. Cisco and EMC have tested some solutions with mixed equipments. May be the Fibre Channel Industry Association like the Wi-Fi group should label tested interoperabilities.

Is it time to move ? There is no simple answer. I would not recommend to one of my customer to change all his existing equipments to support FCoE. On the other hand, it could lower the TCO for new server deployment. If a new rack of server is required, I would push FCoE as there is no competition of that solution. FCoE is a good solution because it allows you to move to this technology at your pace. French Version.

This is an entry level post. I will try to do something more technical next time. Please comment and I will amend my post.

Posted in Data Center, Marketing | Tagged , , , , | 7 Comments