Upload
nechitis
View
434
Download
4
Embed Size (px)
Citation preview
WatchGuard XTM 5 & 8 vs. Fortinet
Battle Card
Get red. Get secured.
Example comparison XTM 810 XTM 820 XTM 830 FG-600C FG-1000C
AV Throughput** 2 Gbps 2.1 Gbps 2.3 Gbps 1.3 Gbps 1.7 Gbps
IPS Throughput** 2.1 Gbps 2.4 Gbps 2.7 Gbps 4.0 Gbps 6.0 Gbps
Drag and Drop VPN Yes Yes Yes No No
Number of Reports 50+ 50+ 50+ <5 <5
Application Proxies Yes Yes Yes No No
Cost / Speeds&Feeds / Features XTM 515 XTM 525 XTM 535 XTM 545 FG-100D FG-200B FG-300C
AV Throughput** 1.5 Gbps 1.7 Gbps 1.8 Gbps 2 Gbps 300 Mbps 95 Mbps 200 Mbps
IPS Throughput** 1.6 Gbps 1.7 Gbps 1.8 Gbps 1.9 Gbps 950 Mbps 650 Mbps 1500 Mbps
Drag and Drop VPN Yes Yes Yes Yes No No No
Number of Reports 50+ 50+ 50+ 50+ <5 <5 <5
Application Proxies Yes Yes Yes Yes No No No
* Fortinet does not publish UTM throughput, but advises customers wishing to run multiple security services to size based on the lowest performance number, typically Anti-Virus (AV) throughput.
Questions to ask prospective buyers:Do you get the fastest performance? WatchGuard XTM appliances provide faster throughput for anti-virus and IPS compared to Fortinet models at the same price. Fortinet products are designed to optimize packet filter throughput, but they fall down when security services are enabled.
Do you have the best possible security?WatchGuard incorporates best-in-class security services from industry stars such as Websense, AVG, and Commtouch, and incorporates them into a well-integrated, simple management interface.
Do you need comprehensive historical reporting – without breaking the budget? WatchGuard bundles over 50 pre- defined historical reports, while FortiGate products come with fewer than 5 – unless you purchase costly FortiAnalyzer.
Do you need to connect multiple offices? WatchGuard System Manager’s Drag and Drop VPN method allows for fast, easy, secure connections between locations.
Do you use multiple WAN connections? WatchGuard’s Fireware XTM supports up to 4 WAN connections, and has easy yet powerful multi-WAN failover and load balancing features.
Do you want to control traffic priority with QoS? Fireware XTM has a richer implementation, allowing you to control priority of users, applications, or data flows. Fortinet has a minimal implementation – and what is there may be configured via the CLI only.
Overview: WatchGuard vs. FortinetWatchGuard offers an unbeatable combination of performance, security, and ease of use. Fortinet’s UTM product strategy is based heavily on its ASIC technology. The custom silicon allows their boxes to run very fast for packet filtering and VPN, but at a considerable penalty for general-purpose tasks such as AV and IPS scanning. Customers and resellers alike realize the numbers that matter are those showing how an appliance performs when delivering security services, not just packet filtering. Gartner has indicated that prospects are turned off by products with a wide gap between packet filter and UTM performance.
CONFIDENTIALNot for Distribution
Battle Card
Get red. Get secured.
Fortinet and TCO• Price per Mb of AV performance is much higher than
WatchGuard – Fortinet products are fine for fast firewall/VPN performance, but for customers looking for true unified threat management, reaching performance equivalent to WatchGuard’s XTM 8 Series, even spending thousands more, is not attainable, even on their very high-end equipment!
• Centralized Logging and Management Tools – Fortinet charges extra for FortiAnalyzer and FortiManager. Each of these products adds thousands to the total system price (Minimum $9,995 for FortiManager 400A, the minimum FortiManager for the 310 and 620 models, and $1,495 for the FortiAnalyzer 100C). By contrast, WatchGuard bundles full centralized management and logging/ reporting functionality with every XTM appliance.
• Spam Quarantine – When using the WatchGuard spamBlocker subscription, full-featured quarantine server software is included. Fortinet’s quarantine is part of the separate FortiAnalyzer product (minimum $1,495 extra).
AV Throughput (Mbps) vs. 1-year Bundle Price (USD)
This chart includes models for which this information is published by the vendor. There may be other models sold by the vendor for which UTM throughput or price was unavailable at the time of this publication.
CONFIDENTIALNot for Distribution
Points of Emphasis• Low Speed: Fortinet ASIC technology is GOOD for firewall
performance, but very POOR for Content Inspection performance. Fortinet’s own internal sales literature advises using the slowest speed–typically AV–in sizing boxes for customer networks. For example FortiGate 620B offers a Firewall with 16,000 Mbps, but only 250 Mbps AV ONLY throughput!
• More Expense: Fortinet charges for items that WatchGuard bundles. Central Management & logging cost extra with Fortinet. The three year TCO for Fortinet solutions compared to WatchGuard looks like this:
~ Average 3.11x for appliance + MVPN clients ~ Average 2.32x for UTM bundle ~ Average 2.93x for UTM bundle + MVPN clients
Other additional costs: ~ Central Management appliance $2,254 extra ~ Logging appliance $1640 extra
• Less Usability: Fortinet does not offer much in the way of useability or network visibility tools, unlike WatchGuard, which includes full centralized management and logging/reporting functionality with every XTM Series appliance. Their solutions do not include: Drag and Drop VPN, HostWatch or Traffic Monitor. There are two included reports – unlike the 65+ provided standard with WG XTM solutions.
• Anti-virus lock-in: Fortinet’s strategy is to lock users into a single set of AV protection by deploying the same proprietary AV at the endpoint and the gateway. WatchGuard deploys a best-in-class AV solution at the XTM appliance, and allows customers to choose a different vendor at the endpoint for double protection.
2400
2000
1600
800
1200
400
0
$0 $2,000 $4,000 $6,000 $10,000$8,000 $12,000 $14,000 $16,000 $18,000 $20,000
Thro
ughp
ut (M
bps)
Price WatchGuard Fortinet
XTM 830
XTM 820XTM 545
XTM 525
XTM 810
XTM 515
XTM 535Fortigate 1000C
Fortigate 100D
Fortigate 200B
Fortigate 600C
Fortigate 300 C
Battle Card
Get red. Get secured.
Significant Feature Advantages for WatchGuard
FeatureXTM
Series FortiGate Why it matters
Application Proxies
Application proxies provide smart defaults for out-of-the-box protection. They allow almost unlimited ability to custom-tailor the security policy to the organization’s needs. Proxies not only provide zero-day attack prevention, they also add robust client and server protection capabilities such as command limiting, server cloaking, control over cookies, and much, much more.
Interactive Real-Time Monitoring
WatchGuard’s suite of real-time monitoring tools make troubleshooting a breeze, with live displays of allowed and denied traffic, user activity, bandwidth usage, and more.
Application Control Businesses need the ability to define, enforce, and audit security policies based on applications, users, and groups. WatchGuard Application Control manages a higher number of applications than FortiOS (over 1,800 vs. 1,200).
Protocol-specific VoIP Security
Fortinet does not have ALGs for VoIP protocols, which means they have little to no application-specific VoIP security.
Graphical, offline policy editor
Policy Manager has a major advantage over Web UIs such as Fortinet’s in that it allows the admin to create the policy offline, then deploy it when needed; it also makes it easy to make multiple versions of a config, then change them in/out to test different configurations.
Drag and Drop VPN Makes creation of site to site tunnels a snap—and everything you need is included with the product.
Full suite of reporting tools included
Reporting is a costly add-on for Fortinet; the appliances come with only a small handful of reports, compared to WatchGuard’s over 50 included reports.
Encrypted, TCP-based logging with no extras to buy
TCP ensures messages aren’t lost; encryption provides security. Fortinet only supports encrypted logging with the FortiAnalyzer (separate purchase).
Next-Generation anti-spam and included quarantine
WatchGuard’s spamBlocker uses a next-generation anti-spam technology that makes it highly effective, language- and content-independent, and extraordinarily easy to configure. It also includes a full-featured quarantine server package, whereas Fortinet’s spam quarantine requires the FortiAnalyzer (separate purchase).
Reputation Enabled Defense
WatchGuard is the only UTM to offer web reputation defense as a fully integrated security subscription. This cloud-based reputation service aggregates data from multiple feeds for real-time protection and for optimization of anti-virus processing; tests show a reduction of up to 50% in AV processing overhead. Protect your users from malicious web content while reducing web processing time with Reputation Enabled Defense.
CONFIDENTIALNot for Distribution
Best-in-Class Security SolutionsWhereas other solutions rely on small in house teams, WatchGuard partners with the leading companies in the security industry to deliver best in class security solutions to our customers.
For Gateway AntiVirus, WatchGuard relies on the proven technology of AVG, a company with over $270 million in revenue that is completely dedicated to AntiVirus solutions. AVG has an R&D team of over 200 people, and their products are installed on more than 110 million endpoints worldwide.
Best-in-Class AntiVirus: Better Threat Coverage
Extended (buffer)
Standard
Extended
Regular (Proxy)
Stream
500K 1M 1.5M 2M 2.5M
Along with providing more comprehensive signature sets, the WatchGuard engine also incorporates heuristics capabilities to detect new viruses that signatures alone cannot catch.
Webblocker uses a url database from Websense, the #1 stand-alone security company with $370 million in revenue, and a specialist in url filtering and web security. Websense has earned the most web security revenue four years in a row, as measured by IDC, and they were chosen by Facebook as their url filtering solution.
Commtouch, antiSpam:
In business since 1991, Commtouch’s patented RPD technology in the Cloud provides spamBlocker with the only effective antispam solution for low footprint UTM appliances. Commtouch reviews over 4 billion messages per day looking for spam outbreaks.
BroadWeb, Application Control:
Application Control Signatures and behavioral detection are provided by Broadweb, with over 1800 applications included. This solution provides broader coverage than other UTM vendors, and includes a unique drill down capability for application sub-functions.
BroadWeb, IPS:
A comprehensive set of signatures is also provided by Broadweb. Every signature update is tested with industry leading, MuDynamics test equipment.
Summary• Fortinet has FEWER administrative tools.
• Fortinet has LIMITED Multi-WAN support.
• Fortinet has WEAK QoS support.
• Fortinet has HUGE performance degradation with security on.
• Fortinet is MORE EXPENSIVE over time.
Battle Card
Get red. Get secured.
CONFIDENTIALNot for Distribution
Websense accolades:
AVG Accolades:
No express or implied warranties are provided for herein. All specifications are subject to change and expected future products, features or functionality will be provided on an if and when available basis. © 2012 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, and LiveSecurity are registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other tradenames are the property of their respective owners. Part No. WGCE66772_052512