Cisco Umbrella alternatives and competitors

The main focus is just adding an additional layer of security to what we already have, knowing that no particular solution protects you 100%. It provides an additional layer of security while browsing the Internet, which seems to be the most vulnerable place for most companies. It doesn't necessarily mean you are going to a legitimate site, as it could be redirecting you to something malicious, which turns out to be pretty bad. We already have an existing antivirus and gateway security. This was more just an added layer. We are strictly using it as a DNS filter. It seems to achieve what we are looking for. It also blocks some content that could be potentially questionable or harmful.

For our main corporate LAN, we are using WebTitan DNS forwarders that we have set on our local LAN through their DNS filtering servers. Then, we use the OTG client for our mobile devices. We also have laptop users who may or may not always be at our main corporate LAN office, and when they are not on the premises, they use the OTG client.

We are strictly Windows-based.

It is not necessarily providing any value as far as streamlining our processes. It is not helping with the day-to-day business side of things. It is more just an additional layer of security. It provides me more of a, "Hey, I have this additional layer of security. I have visibility into what is going on with these devices on the Internet browsing side." 

Keeping us safe is important. The safer we are, the less likely we are to get compromised and then have lost revenue and costs, whether it is a ransomware attack or just a single device down.

Since we have deployed this solution, it seems like there are fewer threats that our gateway security appliance detects. However, I have no way of saying, "Hey, without this solution, there would have been 100,000 attacks in the last six months, and with this solution, it is now 50,000." I have no way to really validate whether it is the WebTitan solution that is responsible for the decrease in threats being blocked at the gateway. I suspect that is the case as it seems like the number of threats have gone up for most businesses in the past year. So, it seems to have helped, but I have no way to really quantify whether that is the case or not.

A remote user has the WebTitan Cloud OTG client installed along with other applications that we have deployed, security, etc. This is really important in regards to keeping the technology side of our business going and keeping us from hopefully getting compromised with something that will impact the day-to-day business on the technology side of what we do. 

The dashboard of the customer portal has an overview of the web stats for the day, showing where we are at with some of the sites or addresses with high consumption and on what devices. It also has the ability to pull up past reporting, etc. Then, it ties all that stuff out to individual users, which is great. Since there is a lot of web traffic, if you are not sure where that is coming from inside your organization, then it is kind of hard to correct.

The DNS Proxy 2.06 works. There are no major delays in browsing the Internet. I haven't had any issues with it. Obviously, for seeing certain content be blocked, it seems to work just fine.

They probably could improve on the initial deployment and the issues that we ran into with the WebTitan Cloud OTG client installation on our mobile devices or laptops. Other than that, everything has been pretty turnkey for the most part.

We rolled it out around November or December 2021. We demoed it for a bit, then went live.

Not a whole lot of oversight is required after WebTitan is installed. I get email notifications and occasionally browse the reporting. This is pretty important because I don't have the bandwidth to actively monitor all this stuff 24/7. It is just not possible. Therefore, it is important that it doesn't require a lot of my time once it is deployed and working.

The little bit that I have dealt with them, the technical support has been fine. I have dealt with all kinds of different organizations and providers who had good and bad tech support. They rank right up there with some of the other good ones that I have dealt with. I would rate the technical support as nine out of 10.

Positive

It is pretty straightforward to implement and put live in an environment.

The complete deployment probably took way longer than it should have. That was really more on my end, not on TitanHQ's end. I am the IT department, consisting of one individual. Under normal circumstances, if you had an organization with multiple IT individuals, then it could get deployed pretty quickly within a short period of time.

We had an existing server, which was an existing domain controller, that already had DNS on it. So, we just utilized the DNS forwarding side of the DNS server to essentially point to WebTitan's DNS filtering servers. Other than a little bit of my time to update the forwarders to what they provided, it didn't take more than a few minutes to make the change. Therefore, there was very little cost on that piece of it.

The guys at TitanHQ were able to help with the initial testing that I did. Once we decided to go live with it, they made it pretty easy to deploy in our organization. There were a few little glitches in the beginning when rolling out the client app that resides on laptops. However, once they figured out what was going on, that was resolved. Then, all additional deployments to all the remaining laptops in our organization were turnkey and problem-free.

The initial account representative that I dealt with was great about communicating. He set up remote Zoom calls to kind of go over the platform and help with the onboarding process, then looped in the tech support team when needed. It was a pretty turnkey process from start to finish.

As far as seeing the value, it was probably instantaneous. Once we went live with it, I could review stats on the customer portal side of things and just dig into the details, which was easy to understand. It was pretty instantaneous to say, "Hey, we made the right decision."

In my mind, it is well worth the money that we spent. We will continue to probably spend per year on this solution, knowing that this is one additional thing that I can say, "Hey, I have implemented," that will provide us the best protection out there along with everything else that we have.

WebTitan helps reduce costs associated with web filtering. In the event that somebody was compromised due to browsing the Internet, there will be at least one device offline. The time and energy spent cleaning that thing up and getting it back online, as well as having that user set up with some sort of a solution so they can continue working, makes it well worth the money. If a single device has been compromised, my time and the potential of having to buy additional hardware is worth at least a couple thousand dollars. Worst case scenario, if our entire organization or the majority of our organization got compromised, then it could get into the 50,000-plus for recovery. It depends on if it is a massive ransomware attack where it has pretty much crippled our entire business.

I looked at a couple other solutions, like Cisco Umbrella, but this was the one that I decided to go with. I decided to go with WebTitan because of online reviews and the price point. It felt like the right solution versus some of the other ones out there.

I demoed Cisco Umbrella for a bit. It just seemed like it was going to take too much time to get it up and running in our organization. I felt that the cost and the amount of time, then potentially what it might require moving forward, was just too much.

I elected not to use it with Azure Active Directory. We don't use Azure and I don't have AD integration set up at this point. Down the road, I might elect to do so. It just didn't make sense for the size of our organization.

It probably doesn't provide much value on the customer service side because that is a totally different system. It is self-contained and cloud-managed by the provider.

Being around the technology industry for many years and just seeing different services and applications come, go, and evolve, I would say WebTitan (at this point) seems to be a good solution that doesn't require a lot of out-of-pocket expenses. It also doesn't require a lot of IT resources to implement and manage moving forward.

I would rate this solution as nine out of 10.

BloxOne is for DNS protection. We point our local domain name servers to it and it has a feed for "bad character" domain names. We protect our end-users that way. The way we're using it, that's all it does. It fits in somewhere in the middle of our security stack. DNS is the most important part of networking. Not so many people see it that way, but if you can't resolve, say, "cnn.com", nothing works. If your DNS doesn't work correctly, nothing is going to work correctly on your network. It is one of the first layers that comes into play when going to a website or using email.

It's a SaaS solution, a service that InfoBlox provides. All the systems are run by them and they maintain it.

It puts us at ease. We don't have to worry about so many DNS infiltrations. It has integrated and helped us make sure that our end-users don't visit websites that are not clean. Overall, it has helped with that side of our security.

BloxOne has also reduced the amount of effort for our SecOps team when investigating events. They have been using it and they're happy with it.

Overall, it's much easier to log, detect, and troubleshoot those aspects of the network.

The GUI has been improved a lot. It's easy to use and intuitive to navigate and to do whatever it is that you want to do with the system. Ease of use is one of the top features.

When it comes to helping to detect DNS threats, BloxOne is good on all fronts. The number of false positives is very low, close to none. More than once it has detected new names or lookalike names and protected us and saved us from bad characters.

The research side and the reporting side need improvement. Both of those are items on the menu. They could use a little bit of cleanup to make their respective information more easily understood.

I have been using Infoblox BloxOne Threat Defense for a year and a half. 

We have not had any service outages with BloxOne. It has been very stable.

We have scaled it as far as we need to, and I have not seen any issues in that regard.

BloxOne gets used with every device in our enterprise that does DNS. As the number of devices grows, usage goes up. It is something that gets used without people even noticing that it's there. Almost the entire enterprise is using it.

As for increasing the use of its features, such as the integrations, we have talked about it, but we have way too many other projects and that has been put on the back burner.

The only time we contacted them for support was during the initial setup, and that's how we got our SE to help us with the categories. On a scale of one to 10, their support is a 12.

We have been using InfoBlox as a company for more than 10 years. Their support team is well-versed in their products. They know their stuff. And if they don't know something, or there is something they haven't worked with, they are very quick to bring in somebody who knows the environment better. They don't drag you along while they're trying to learn, and that is something I really like.

We used something else that does almost the same thing. It provided us with the ability to block DNS. We have been doing this for the past 20 years or so. We switched to BloxOne because it's cloud-based. Logging is easier. With all of the previous systems that we had, we had to sacrifice on the logging feature, reduce the logging, because we couldn't maintain that size of a log. With BloxOne, logging is in the cloud and it's not limited. Also, somebody else is maintaining it, which we like.

The initial setup was "in-between." It wasn't so complex, but it also was not so easy that anybody could do it. It had a learning curve, but the learning curve was not that bad. I tackled the learning curve by asking questions of my SE. He was able to give me directions about the best way to configure it.

The kinds of things I asked about were best practices around which categories to enable. I needed to better understand what all the categories were, and what they mean. The default settings were too rigid and we had to make some changes. The SE helped us to understand all the categories, which categories were redundant and which categories should be more relaxed.

We had a PoC deployment and then production. All together, they took about two to three working days.

Our implementation strategy was to set it up the way we believed it should be set up. We put it in a test environment and then realized that some of the categories were too restricted. We got on the phone and then made some changes to those categories. After a couple of weeks of testing, we put it into production. All the settings that needed to be enabled were enabled at that point.

The team that logs in, in administrative roles, includes about eight people, and I don't think they're in there that often. We're usually in there if there's a report of domains being blocked that shouldn't be blocked. For all intents and purposes, it is set-it-and-forget-it. It has been that simple. We don't go in there unless there is a very specific reason for taking a look at something.

For deployment, it was the networking team, so that everybody was aware of how it was set up. BloxOne doesn't require any maintenance because it's in the cloud and Infoblox is maintaining it.

We looked at BlueCat and Umbrella. We went with BloxOne because it integrates better with our system. The functionality also looked a little bit better than that of the other two products.

If a colleague said to me that their next-gen firewall and other security tools mean that they don't need a DNS-specific security solution, I would say to them that, in my opinion, security is layers. Just because you have one layer doesn't mean that you can remove other ones. They work hand-in-hand.

Do a proof of concept for your environment, a test environment, to make sure that it does what you want it to do. And try to understand the categories that it has. Spend some time understanding the categories before you enable them or put them into production.

The biggest lesson I have learned from using BloxOne is patience. It is the cloud, so when you click on something you have to give it a little bit of time to do whatever it needs to do in the back end, before it actually gets implemented. You have to be patient.

I'm sure it would be able to integrate with our firewall company, Palo Alto. But, at the moment, we haven't needed to do that.

We're a manufacturing shop. So we have 500-700 users on FortiGate SWG and various devices on the manufacturing floor and inside the warehouse using it. Our ERP is on-premises in the United States, so traffic from Asia to the US passes through it.

Eventually, it's going to be used throughout the enterprise. So we're using the gateways today. We have purchased two access points for wifi. Fortinet's devices all talk to each other and use the same management platform. We're planning to transition to 100 percent Fortinet gradually.

We adopted Fortigate to go to SD-WAN. When I looked at the market, I found Fortigate offered some of the best SD-WAN capabilities, and they're reasonably priced compared to some of their competitors.

We went to SD-WAN because we're moving to Microsoft Dynamics for finance and operations and putting our telephone system into the cloud. As we shift more and more capabilities into the cloud, we need the ability to manage and monitor everything. If we're putting our ERP into the cloud and have performance issues, I need to understand if it's a problem with the internal network, the cloud connection, or Microsoft. Fortinet can pinpoint the source of the problem, so we can work with the right people to get it resolved.

FortiGate is easy to configure. We configured one of the units and sent it to Indiana to be installed. We asked them to give us a call when they got it, so we could help them through the process, but they called us back to tell us it works great. 

Non-IT people could plug it in, connect it to the fiber, and get it running without  IT help. That was fantastic. Fortinet also offers a single pane of glass that we can use to manage our routers with gateways, so that's convenient. We're running a VPN to our remote location, and the performance is good. We're changing all our VPN connectors on our laptops from Cisco's Anywhere to Fortinet's VPN because the performance is just so much better.

Fortinet needs to continue to improve network traceability. Other than that, we haven't run into anything that would give me any concern. Their support team has been fantastic. One went down, and they immediately sent me a replacement. Everything that they've done has been great.

I've been using FortiGate SWG for about  six months now.

FortiGate is highly stable.

I was pleased with the scalability.  We have a mid-range appliance in our headquarters and entry-level devices in our remote sites. They all perform extremely well. We did never needed to purchase their largest devices to get the performance we need.

I rate Fortinet support eight out of 10.

Positive

We switched from Cisco to Fortinet for a host of reasons, including price. It's also easier to set up and manage.  Cisco requires you to understand how to configure the bare metal, which requires configuration inside the switch, but Fortinet lets you set up profiles and download them. 

I was hoping FortiGate would be more straightforward to set up than it was, but my team has been working with it for around six months. They're getting up to speed and learning to manage it on their own. I have two people on my infrastructure team working on it part-time as one of their many responsibilities.

We're still deploying it and waiting on equipment in Asia. We just got the United States up and running. It took a couple of months because we have six sites. However, we weren't actively doing things for most of that time. We did the headquarters and two other locations in the same city. Next, we set up our remote sites. 

We did have an integrator come in and help us in the original setup, but now my team is managing it. You could do it in-house, but there's a learning curve. If you're a Cisco shop moving to Fortinet, your team needs to learn Fortinet byou can to do it in-house. 

Fortinet has a good training program, and you can become certified just like Cisco. You mainly need to use an outside provider so you don't have to undergo that learning curve before you can be productive. They're also going to know the tricks of the trade to do it best.

When we were using Cisco, we had a hot fiber connection and a backup in case of issues. One reason we wanted to go to SD-WAN is to be live-live. We wanted to ensure sure that we could use all our internet connections at the same time and not have anything sitting in a backup situation. It's moving traffic much better.

FortiGate is priced reasonably. We bought a spare to have in case of issues.  It was only $500 for the raw hardware and around $2,000 more annually year for the support and subscription.

We looked at four or five different vendors with SD-WAN capabilities, including Fortinet, VMware, and Cisco.  We went with FortiGate because of ease of use and price.

I rate FortiGate SWG eight out of 10. It's a solid product that's easy to install. At the end of the day, there's no reason to use a firewall without SD-WAN capabilities. It brings so many more features to the table.

Our primary use case is as a Security Web Gateway for off-premises users. 

We use Check Point for application control, IPS, and web filter on-premises and wanted an in-kind solution for off-prem users. The primary requirement was for the Harmony policy to be able to be managed from the same SmartConsole instance as our on-premises gateways are managed. 

We wanted to be able to have one single policy, managed in one place, and for our users to have the same browsing experience whether off-prem or on-prem. It was also a primary requirement to be able to have the logs generated from Harmony merged into the same locations (SmartConsole and our SIEM) as our on-prem gateway logs go.

It has not improved our organization due to being unable to fully implement in the manner it was sold to us as being able to. 

After attempting to use the same policy for Harmony that we use for on-prem users (managed by on-prem smartConsole), and after much time going through Check Point account reps and support, we were informed it is not possible to manage Harmony Connect policy from SmartConsole if layers or source objects (such as AD users, machines) were used. 

We then were told by Check Point it would be possible to manage both policies from the same platform if we used the Management-as-a-Service Smart1Cloud smartconsole, but after further investigation, we were then later told by Check Point account executives and support that we are unable to manage Harmony policies from Smart1 Cloud, even though they are both housed in the Check Point Infinity Portal. 

It is also not even possible to send our Harmony Connect logs to the Smart1Cloud portal, again - even though they are both within the Infinity portal.

HTTPS decryption is a valuable service and not always found in cloud-based secure web gateways. With as much traffic being HTTPS as opposed to HTTP these days it is very important to be able to run that traffic through all the security modules such as IPS and Application Control. 

We also found the SAML integration to be useful. It is handy to be able to access the portal from anywhere in the world, though as mentioned above we are not fully implementing the product at this time due to other issues.

We want the overall ability to manage Harmony and on-prem policies from the same platform. Harmony lacks this ability when anything more than a vanilla access policy is used (we use layers and source user objects in our policy which make this impossible according to Check Point). 

Also, we need the ability to send/merge Harmony logs into the same SmartConsole as our on-prem Gateways send logs to. Have been told this is not possible by Check Point. It makes it really difficult when you have to use two different platforms/portals to see logs

I've used the solution for about six months.

I have not had any issues with stability, although we have not fully used the solution in the manner intended.

I have not had any issues with cloud-based resources, so I assume it would be easily scalable.

We have had many issues with customer support on this product. 

One example: I created a support ticket for a simple issue on the product not being able to be installed on our client machines. 

It took over a month to resolve with my team having to repeatedly follow up with support in order to get a result. My team eventually had to dig into the issue at a great depth ourselves and discovered the problem - it was that Check Point developers did not properly sign multiple scripts associated with installation, which would not allow it to install in our secure environment. 

My team had to unpack the installer and dig around to examine the files and find the mistake in signing. The issue was then finally solved by Check Point developers in Tel Aviv.

Negative

We previously used Check Point Cloud Capsule, which is a similar product. However, we were never happy with its performance and its Application Control objects were very out of date. Support was always hard to get on it from Check Point as well. It was also unable to be used alongside our VPN solution (Microsoft Always-On VPN).

The initial portal setup was straightforward in that the portal is automatically provisioned. 

Getting users integrated through SAML was not straightforward in that the instructions from Check Point on linking it with Azure AD were not accurate. The pre-built Enterprise Application object within Azure AD that is provided for Harmony did not work either. We had to adjust several of the settings to make it work (which were not covered by any support article).

We handled the implementation in-house.

We have seen a negative return on investment

Pricing and licensing seemed acceptable; we have no complaints there. 

We also evaluated solutions from Cisco and Palo Alto.

Users should just make sure the solution will actually do what is expected, regardless of what the company says it can do.

I'm a cloud security architect, but I joined this project because one of my teammates left. My manager asked me to join because I have prior experience with Cisco Systems and Dell security. 

Our client has 40 sites, and they used other products called Peruit and PescUmbrella. My colleague was helping them remove the products from their laptops and replace them with Cortex XDR and Prisma Access. 

Prisma Access is a better product than our client's previous solution, and it helps organizations work differently. It saves time, but I'm not sure about money. I had never considered that aspect because I'm not involved in the financial side. The solution helps us to operate efficiently. Everything we want to do is in there, including DNS, web, and URL security.

Endpoint Protection is something I use on my corporate laptop, and it's doing a wonderful job. I don't experience latency. Prisma has a massive number of secure gateways compared to any other product. All these gateways reduce latency and provide better bandwidth because they use cloud platforms. The scalability and efficiency are excellent so far. 

Prisma integrates well with Cortex XDR and Cortex Data Lake. My company has been also using Prisma Access in-house for nearly a year, and it integrates seamlessly. 

Another aspect I like about Prisma is its usability and control. You can do many functions from a single dashboard. It has more features than Zscaler. The look and feel are better. Prisma is a one-stop shop that does many tasks, like logging and monitoring. 

Having a cloud-based platform is essential because we're pushing all our customers to the cloud. Most of our customers will be using Prisma in the future. Prisma Access provides traffic analysis, threat prevention, URL filtering, and web filtering, which are critical features that our customers request. You don't need a separate administrator for each task. One admin with a little training can handle all of them on Prisma Access. The rest depends on how much you can play with the product.

The documentation is generally good, but they could provide a more detailed description of all the configuration steps. I have to search for information or call support. Palo Alto could add more knowledge base articles about configuration with screenshots and walkthroughs. That would be helpful. When configuring a product, you want to see examples of how it is done. 

I am using Prisma Access for two projects. I haven't been using it for more than six months. 

I haven't worked with Prisma for long, but my impression of the stability so far is good. 

Prisma Access is most suitable for large enterprises because it also includes posture management. It's comparable to Microsoft ESPM. Microsoft makes many of the tools I use as a cloud architect, so I see everything from that perspective.

I don't think smaller companies will have any issues with Prisma. My company has five offices in India and users in 55 countries. Prisma is excellent in terms of scalability, usability, readiness, and user experience. It also runs on older operating systems and new ones too. The laptop I initially got from the company was pretty old. It's a gen-three. I got a newer laptop, and it works on either. 

I rate Prisma Access support a nine out of ten. Their support is helpful. They have a large team of product managers, so they're always available to talk. The response times are excellent. 

I'm impressed. Their technical teams are knowledgeable about the product, and they have global support. You can get support around the clock no matter which time zone you are in. One of my clients is in the US, and the other is in India. Both can access support without a problem.

Positive

I worked with Cisco Fire and AnyConnect, which combines security and VPN. AnyConnect is a popular Cisco product clients use remotely to connect their machines to their offices. That was the first product. Cisco acquired Sourcefire and rebranded it to Fire, which is again a client-based solution.

The deployment is straightforward, and it's done via Prisma's console. I didn't find it to be tricky or have any difficulty finding what I needed. Everything is clearly labeled and intuitive. The more you play with that, the more comfortable you get.

It only takes a minute or two if you have everything configured and you simply need to push the config file. That also depends on how much configuration you push at once. A small configuration takes less than 30 seconds. A larger configuration like we've done in the past few days might take a minute or more. 

I rate Prisma Acess a nine out of ten. It's better than any other product in the market.