WatchGuard XTM 5 & 8 vs. Fortinet

Battle Card

Get red. Get secured.

Example comparison XTM 810 XTM 820 XTM 830 FG-600C FG-1000C

AV Throughput** 2 Gbps 2.1 Gbps 2.3 Gbps 1.3 Gbps 1.7 Gbps

IPS Throughput** 2.1 Gbps 2.4 Gbps 2.7 Gbps 4.0 Gbps 6.0 Gbps

Drag and Drop VPN Yes Yes Yes No No

Number of Reports 50+ 50+ 50+ <5 <5

Application Proxies Yes Yes Yes No No

Cost / Speeds&Feeds / Features XTM 515 XTM 525 XTM 535 XTM 545 FG-100D FG-200B FG-300C

AV Throughput** 1.5 Gbps 1.7 Gbps 1.8 Gbps 2 Gbps 300 Mbps 95 Mbps 200 Mbps

IPS Throughput** 1.6 Gbps 1.7 Gbps 1.8 Gbps 1.9 Gbps 950 Mbps 650 Mbps 1500 Mbps

Drag and Drop VPN Yes Yes Yes Yes No No No

Number of Reports 50+ 50+ 50+ 50+ <5 <5 <5

Application Proxies Yes Yes Yes Yes No No No

* Fortinet does not publish UTM throughput, but advises customers wishing to run multiple security services to size based on the lowest performance number, typically Anti-Virus (AV) throughput.

Questions to ask prospective buyers:Do you get the fastest performance? WatchGuard XTM appliances provide faster throughput for anti-virus and IPS compared to Fortinet models at the same price. Fortinet products are designed to optimize packet filter throughput, but they fall down when security services are enabled.

Do you have the best possible security?WatchGuard incorporates best-in-class security services from industry stars such as Websense, AVG, and Commtouch, and incorporates them into a well-integrated, simple management interface.

Do you need comprehensive historical reporting – without breaking the budget? WatchGuard bundles over 50 pre- defined historical reports, while FortiGate products come with fewer than 5 – unless you purchase costly FortiAnalyzer.

Do you need to connect multiple offices? WatchGuard System Manager’s Drag and Drop VPN method allows for fast, easy, secure connections between locations.

Do you use multiple WAN connections? WatchGuard’s Fireware XTM supports up to 4 WAN connections, and has easy yet powerful multi-WAN failover and load balancing features.

Do you want to control traffic priority with QoS? Fireware XTM has a richer implementation, allowing you to control priority of users, applications, or data flows. Fortinet has a minimal implementation – and what is there may be configured via the CLI only.

Overview: WatchGuard vs. FortinetWatchGuard offers an unbeatable combination of performance, security, and ease of use. Fortinet’s UTM product strategy is based heavily on its ASIC technology. The custom silicon allows their boxes to run very fast for packet filtering and VPN, but at a considerable penalty for general-purpose tasks such as AV and IPS scanning. Customers and resellers alike realize the numbers that matter are those showing how an appliance performs when delivering security services, not just packet filtering. Gartner has indicated that prospects are turned off by products with a wide gap between packet filter and UTM performance.

CONFIDENTIALNot for Distribution

Battle Card

Get red. Get secured.

Fortinet and TCO• Price per Mb of AV performance is much higher than

WatchGuard – Fortinet products are fine for fast firewall/VPN performance, but for customers looking for true unified threat management, reaching performance equivalent to WatchGuard’s XTM 8 Series, even spending thousands more, is not attainable, even on their very high-end equipment!

• Centralized Logging and Management Tools – Fortinet charges extra for FortiAnalyzer and FortiManager. Each of these products adds thousands to the total system price (Minimum $9,995 for FortiManager 400A, the minimum FortiManager for the 310 and 620 models, and $1,495 for the FortiAnalyzer 100C). By contrast, WatchGuard bundles full centralized management and logging/ reporting functionality with every XTM appliance.

• Spam Quarantine – When using the WatchGuard spamBlocker subscription, full-featured quarantine server software is included. Fortinet’s quarantine is part of the separate FortiAnalyzer product (minimum $1,495 extra).

AV Throughput (Mbps) vs. 1-year Bundle Price (USD)

This chart includes models for which this information is published by the vendor. There may be other models sold by the vendor for which UTM throughput or price was unavailable at the time of this publication.

CONFIDENTIALNot for Distribution

Points of Emphasis• Low Speed: Fortinet ASIC technology is GOOD for firewall

performance, but very POOR for Content Inspection performance. Fortinet’s own internal sales literature advises using the slowest speed–typically AV–in sizing boxes for customer networks. For example FortiGate 620B offers a Firewall with 16,000 Mbps, but only 250 Mbps AV ONLY throughput!

• More Expense: Fortinet charges for items that WatchGuard bundles. Central Management & logging cost extra with Fortinet. The three year TCO for Fortinet solutions compared to WatchGuard looks like this:

~ Average 3.11x for appliance + MVPN clients ~ Average 2.32x for UTM bundle ~ Average 2.93x for UTM bundle + MVPN clients

Other additional costs: ~ Central Management appliance $2,254 extra ~ Logging appliance $1640 extra

• Less Usability: Fortinet does not offer much in the way of useability or network visibility tools, unlike WatchGuard, which includes full centralized management and logging/reporting functionality with every XTM Series appliance. Their solutions do not include: Drag and Drop VPN, HostWatch or Traffic Monitor. There are two included reports – unlike the 65+ provided standard with WG XTM solutions.

• Anti-virus lock-in: Fortinet’s strategy is to lock users into a single set of AV protection by deploying the same proprietary AV at the endpoint and the gateway. WatchGuard deploys a best-in-class AV solution at the XTM appliance, and allows customers to choose a different vendor at the endpoint for double protection.

2400

2000

1600

800

1200

400

0

$0 $2,000 $4,000 $6,000 $10,000$8,000 $12,000 $14,000 $16,000 $18,000 $20,000

Thro

ughp

ut (M

bps)

Price WatchGuard Fortinet

XTM 830

XTM 820XTM 545

XTM 525

XTM 810

XTM 515

XTM 535Fortigate 1000C

Fortigate 100D

Fortigate 200B

Fortigate 600C

Fortigate 300 C

Battle Card

Get red. Get secured.

Significant Feature Advantages for WatchGuard

FeatureXTM

Series FortiGate Why it matters

Application Proxies

Application proxies provide smart defaults for out-of-the-box protection. They allow almost unlimited ability to custom-tailor the security policy to the organization’s needs. Proxies not only provide zero-day attack prevention, they also add robust client and server protection capabilities such as command limiting, server cloaking, control over cookies, and much, much more.

Interactive Real-Time Monitoring

WatchGuard’s suite of real-time monitoring tools make troubleshooting a breeze, with live displays of allowed and denied traffic, user activity, bandwidth usage, and more.

Application Control Businesses need the ability to define, enforce, and audit security policies based on applications, users, and groups. WatchGuard Application Control manages a higher number of applications than FortiOS (over 1,800 vs. 1,200).

Protocol-specific VoIP Security

Fortinet does not have ALGs for VoIP protocols, which means they have little to no application-specific VoIP security.

Graphical, offline policy editor

Policy Manager has a major advantage over Web UIs such as Fortinet’s in that it allows the admin to create the policy offline, then deploy it when needed; it also makes it easy to make multiple versions of a config, then change them in/out to test different configurations.

Drag and Drop VPN Makes creation of site to site tunnels a snap—and everything you need is included with the product.

Full suite of reporting tools included

Reporting is a costly add-on for Fortinet; the appliances come with only a small handful of reports, compared to WatchGuard’s over 50 included reports.

Encrypted, TCP-based logging with no extras to buy

TCP ensures messages aren’t lost; encryption provides security. Fortinet only supports encrypted logging with the FortiAnalyzer (separate purchase).

Next-Generation anti-spam and included quarantine

WatchGuard’s spamBlocker uses a next-generation anti-spam technology that makes it highly effective, language- and content-independent, and extraordinarily easy to configure. It also includes a full-featured quarantine server package, whereas Fortinet’s spam quarantine requires the FortiAnalyzer (separate purchase).

Reputation Enabled Defense

WatchGuard is the only UTM to offer web reputation defense as a fully integrated security subscription. This cloud-based reputation service aggregates data from multiple feeds for real-time protection and for optimization of anti-virus processing; tests show a reduction of up to 50% in AV processing overhead. Protect your users from malicious web content while reducing web processing time with Reputation Enabled Defense.

CONFIDENTIALNot for Distribution

Best-in-Class Security SolutionsWhereas other solutions rely on small in house teams, WatchGuard partners with the leading companies in the security industry to deliver best in class security solutions to our customers.

For Gateway AntiVirus, WatchGuard relies on the proven technology of AVG, a company with over $270 million in revenue that is completely dedicated to AntiVirus solutions. AVG has an R&D team of over 200 people, and their products are installed on more than 110 million endpoints worldwide.

Best-in-Class AntiVirus: Better Threat Coverage

Extended (buffer)

Standard

Extended

Regular (Proxy)

Stream

500K 1M 1.5M 2M 2.5M 

Along with providing more comprehensive signature sets, the WatchGuard engine also incorporates heuristics capabilities to detect new viruses that signatures alone cannot catch.

Webblocker uses a url database from Websense, the #1 stand-alone security company with $370 million in revenue, and a specialist in url filtering and web security. Websense has earned the most web security revenue four years in a row, as measured by IDC, and they were chosen by Facebook as their url filtering solution.

Commtouch, antiSpam:

In business since 1991, Commtouch’s patented RPD technology in the Cloud provides spamBlocker with the only effective antispam solution for low footprint UTM appliances. Commtouch reviews over 4 billion messages per day looking for spam outbreaks.

BroadWeb, Application Control:

Application Control Signatures and behavioral detection are provided by Broadweb, with over 1800 applications included. This solution provides broader coverage than other UTM vendors, and includes a unique drill down capability for application sub-functions.

BroadWeb, IPS:

A comprehensive set of signatures is also provided by Broadweb. Every signature update is tested with industry leading, MuDynamics test equipment.

Summary• Fortinet has FEWER administrative tools.

• Fortinet has LIMITED Multi-WAN support.

• Fortinet has WEAK QoS support.

• Fortinet has HUGE performance degradation with security on.

• Fortinet is MORE EXPENSIVE over time.

Battle Card

Get red. Get secured.

CONFIDENTIALNot for Distribution

Websense accolades:

AVG Accolades:

No express or implied warranties are provided for herein. All specifications are subject to change and expected future products, features or functionality will be provided on an if and when available basis. © 2012 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, and LiveSecurity are registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other tradenames are the property of their respective owners. Part No. WGCE66772_052512