On the last weeks, I worked with Palo Alto Networks and Fortinet solutions. I’d like to do a small feedback on those boxes. Initially I was willing to do one blog article to do the comparison… But after one or two days, I feel that I should split it in multiple small ones. So let’s start with the line of product.
Line of product
Fortinet has SMB products and Palo Alto can’t compete on this market. For example the 30D (smaller Fortinet product) has a listed price of $388 ($601 with 1 year subscription). The first Palo Alto FW is the PA-200 listed as $2000 and the yearly subscription for this FW is $450. Both companies have mid-range to high-end solution and VM solution.
Both companies have a chassis solution. I did not test Palo Alto chassis but I was not really convinced by Fortinet solution. Fortinet use old ASICs (NP4 and SP2) which mean no support for IPv6 for example. And a lot of Features are not load balanced inside the Chassis.
My understanding is that Fortinet is selling more boxes and Palo Alto is doing more revenue. For a partner working mainly in the SMB market, there is no point of working with Palo Alto Networks.
For partners working with service provider or big entreprise, the choice could be done more freely.
That’s where Fortinet outperform Palo Alto. Palo Alto has the well-defensed reputation of being expensive and I’ve got a customer who ran a performance test with IXIA between a Palo Alto 5050 and a Fortinet 1500D (more or less half the price of the PA-5050).
The main test was with 6000 rules configured.
On the Fortigate, we start to reach the limit with 10Gb/s of traffic with 65k TCP session per second and 115k UDP session per second. In this situation, the box was able to manage 9Gb/s of traffic and to manage 38k TCP sessions per second and 55k UDP sessions per second.
On the Palo Alto, we start to reach the limit with 10Gb/s of traffic with 10k TCP session per second and 12k UDP session per second. In this situation, the box is not able to maintain a constant number of TCP or UDP session per second and limit the traffic at 3Gb/s.