Forescout Platform vs Fortinet FortiNAC comparison

 

Comparison Buyer's Guide

Executive Summary
 

Categories and Ranking

Forescout Platform
Ranking in Network Access Control (NAC)
4th
Average Rating
8.4
Number of Reviews
73
Ranking in other categories
IoT Security (1st), Endpoint Compliance (4th), Extended Detection and Response (XDR) (14th)
Fortinet FortiNAC
Ranking in Network Access Control (NAC)
3rd
Average Rating
7.6
Number of Reviews
45
Ranking in other categories
No ranking in other categories
 

Mindshare comparison

As of June 2024, in the Network Access Control (NAC) category, the mindshare of Forescout Platform is 12.6%, up from 11.3% compared to the previous year. The mindshare of Fortinet FortiNAC is 21.0%, up from 14.8% compared to the previous year. It is calculated based on PeerSpot user engagement data.
Network Access Control (NAC)
Unique Categories:
IoT Security
10.1%
Endpoint Compliance
4.3%
No other categories found
 

Q&A Highlights

it_user781137 - PeerSpot reviewer
Sep 24, 2018
 

Featured Reviews

MG
Nov 9, 2022
We can go granular on each endpoint, quarantine non-compliant machines, and target vulnerabilities through scripting
Logging would be one area for improvement. When we're troubleshooting, there are not a lot of clear things on Google that we can look up for ourselves. When we have an issue with it, we have to call the company to get the vendors involved. The logging of Forescout is horrible compared to other things that we've used. We don't use ISE, but based on what we heard from the users we've reached out to who do use ISE, the logging capabilities of ISE are better, and troubleshooting is so much easier with ISE than it is with Forescout. It doesn't have a lot of end-user support after the purchase of the license. There is no training either for Forescout. That's something that it's lacking. We need refresher training. The vendors came out and trained us whenever we first set up Forescout, but we have people coming and going all the time. There are some things that we wish that it would do. We use ACAS, which is a reporting tool that scans our network and then lets us know what kind of vulnerabilities are on the network. It would be nice if there was a way to connect Forescout. I know ISE connects with our configuration management tools to push patches and things like that out to a large array of machines. With Forescout, we can push some patches out, but it can't handle anything on a large scale. So, we wish that Forescout would be able to handle more and connect to some of the other tools that we use. We have 15 different tools that do pretty much the same thing but in a different way to get a good picture of our network. It would be nice if we can condense that down or have something that is a central hub-type tool that can reach out to some of our other tools, compile the data better, and have that data in one place.
SM
Jan 16, 2024
Adds an extra layer of security, and is user-friendly, but the device compatibility can be improved
We use Fortinet FortiNAC to control user access and enforce system policies Fortinet FortiNAC helps add an extra layer of security. The ease of deployment is valuable. Fortinet FortiNAC's device compatibility could be improved, particularly for VoIP devices. I have been using Fortinet FortiNAC…

Quotes from Members

We asked business professionals to review the solutions they use. Here are some excerpts of what they said:
 

Pros

"Forescout Platform provides multiple features. They have a very effective device fingerprinting in their cloud. You do not need to add any devices manually, such as in Mac devices. Other solutions you have to add IoT devices and OT devices manually. This is one of the major areas that Forescout Platform is excelling in."
"The solution's implementation and operation are very easy."
"This is clearly the best product for the NAC use cases in this field for Forescout."
"Forescout Platform has made it possible to block people working near our construction sites who should not have access to our network."
"It has helped with improving our security posture in terms of controlling the access of rogue devices into our network through identification. We have been able to prevent rogue device activities on the network, check the health of the system, and ensure remediation."
"The most valuable features of ForeScout is the fact that it can do network access control either with 802.1x or without 802.1x."
"Forescout Platform is stable, it is great."
"Forescout Platform's most valuable aspect is its excellent device profiling for devices without agents, which is crucial for our work due to challenges with agent-based devices. Its isolation and blocking actions are particularly effective for network security. The device compliance feature helps us ensure device compliance through immediate actions like updating antivirus software. We have already integrated Forescout with antivirus and vulnerability assessment tools, allowing it to monitor vulnerability scores and automatically isolate devices if critical vulnerabilities are detected."
"This solution is very easy to implement and use. The interface is user-friendly."
"The most valuable aspect of this product is its security features. Many customers prefer cheaper devices, but those often lack adequate security measures. It also supports compliance with industry regulations."
"FortiNAC has enhanced our network visibility because FortiNAC monitors MAC addresses and other network devices, like Cisco, Catalyst, or HPE switches."
"Fortinet FortiNAC is both scalable and stable."
"Fortinet FortiNAC is a stable solution."
"Version 9.1 has been an improvement on previous versions. It's a good solution for SMB."
"Compared to other NAC vendors, Fortinet’s user interface is more user-friendly."
"The FortiNAC features I found the most valuable are security and the ability to consolidate wireless networks."
 

Cons

"Forescout needs to upgrade its development in the future."
"If older network devices are used there can be some compatibility issues while using the Forescout Platform. Additionally, if the switches that are deployed in your infrastructure are not captured properly to the endpoints there might be some difficulties with Forescout Platform trying to monitor the network traffic. Traffic management is an area the vendor should work on."
"When adding what is in scope to a policy, it would be nice if you could select multiple policies instead of one policy at a time to add what is in the scope for network segmentation. I have found that during the install and configuration of the policies that if you want to modify multiple policies or enable multiple policies that you need to define what is in the scope (IP range or segments) one rule at a time. This caused some slow downs when implementing policies."
"The biggest disadvantage is the pricing."
"The solution needs more definitive pricing. The costs are hard to nail down."
"They need to handle their Tier 1 cases differently. The biggest negative regarding Forescout is their support. Not having the ability to get instantly transferred to a support engineer for Tier 1 cases is pretty ridiculous."
"The solution does have a bit of complexity, and there's some complexity in the deployment. Users need to be trained before undertaking an initial setup."
"They should improve features related to IT security. ForeScout should analyze behavior to see if the behavior is malicious behavior and block this device. They should develop the ability to analyze the behavior of the device in my environment."
"The user interface and the product's intuitiveness could be improved."
"This solution could be more agile."
"Integration is hard in Fortinet FortiNAC, but they are evolving and getting better. For example, with Cisco, Aruba, Huawei, and Extreme devices, Fortinet FortiNAC is working properly, but some other devices have problems."
"Keeping the hard disk on the one series will be easier for the distributor and will keep the prices lower for the customer."
"I would like to be able to compare the configuration backup before and after."
"Our users have been asking for simpler documentation and training materials to facilitate the deployment process."
"Technical support could improve their response times."
"Fortinet FortiNAC's price is expensive compared to other products."
 

Pricing and Cost Advice

"The cost of licensing for this product is quite high, but this cost covers all the features of the solution so it is a single payment for the term that has been selected."
"It's about $160,000, but I'm not sure how long that is for or what it includes. Because we were a test base, we were provided with servers, but now, Forescout wants us to buy servers because those servers are now end-of-life or end-of-service. For our lifecycle management program, in order to get a refresh on those servers, we would have to buy servers or use our own network resources to house Forescout. Forescout takes up about 13 or 14 virtual CPUs."
"5,000 user licenses will cost you between seven and eight million dollars, compared to 20 million for Aruba."
"We need to pay for integration for each integration that we want to do and there is an additional license fee. This adds more costs. It is not something that anyone can afford. If you want to integrate this with a lot of other tools, it can be costly."
"I would rate Forescout Platform's pricing as four out of five."
"Forescout's pricing is noted for its attractiveness, with potential discounts depending on partnership levels."
"The cost of the solution depends on the customer's requirement because the customer is asking for different integration with a different product. Forescout Platform's price would start to get a bit higher. However, overall the price is a little expensive. It's can fit within the customer budget."
"The tool's pricing is expensive but reasonable."
"It's a pricey solution."
"FortiNAC's price has gone up in the last year. However, compared to other solutions, such as Cisco ISE, it is cheaper."
"It's a subscription-based license, which is based on the usage and number of concurrent users."
"The price of the license required is based on how many users are going to be using the solution. If you want more users you can upgrade your license."
"The solution is expensive. However, it is not as expensive as other solutions, such as Cisco ISE."
"It is a reasonable product."
"Fortinet FortiNAC is reasonably priced."
"For the projects that we do the Fortinet FortiNAC is affordable."
report
Use our free recommendation engine to learn which Network Access Control (NAC) solutions are best for your needs.
789,442 professionals have used our research since 2012.
 

Answers from the Community

it_user781137 - PeerSpot reviewer
Sep 24, 2018
Sep 24, 2018
Thank for your nice works. I am working on the similar type comparison between Fortescout, FortiNAC(Bradford) and ISE for a project in a healthcare organization.
See 2 answers
Sep 7, 2018
Hi Nkwa, I did some research comparing ForeScout with ClearPass. Fundamentally they do the same but in a very different ways. It is important to understand these differences and how they could help you to achieve or not what you need in your organization. I will only point these differences and not every single detail. This is based on my own experience and I do not represent either ForeScout or Aruba ClearPass. DISCOVERY PROCESS / Profiler - METHODS. • NetFlow or SFlow: ForeScout do not support Sflow only NetFlow. Is this important? Yes, it is if your switches are not Cisco or any other vendor that support the NetFlow protocol. ForeScout says: "This capability becomes more relevant in large scale deployments, where the CounterACT packet engine is limited in its "ability to detect activity in remote sites and branch offices". Use of information reported by NetFlow improves visibility and speeds detection of new endpoints." Reference: https:\www.forescout.com\wp-content\uploads\2018\04\CounterACT_NetFlow_1.2.pdf Page 3. ClearPass: NetFlow V5/V9 and V10 aka IPFIX + sFLOW are supported. Reference: https://www.arubanetworks.com/techdocs/ClearPass/CP_ReleaseNotes_6.6.3/Content/WhatsNew/NewFeatures_ProfilerNWDiscovery.htm ORCHESTRATE = Integration/Collaboration with other Systems. ForeScout: * ForeScout is able to interchange contextual information with 3rd party solutions, however the most of the contextual collaboration capabilities are available using an Extended Module option and ForeScout charges separately for this. Reference Links: https://www.forescout.com/platform/extended-modules/#cmt https://www.cdw.com/product/forescout-extended-module-for-palo-alto-networks-next-generation-firewall/4589573 https://www.cdw.com/search/?key=forescout&searchscope=all&sr=1 Clear Pass: * 140+ Integrations are included as part of the core solution. Basically, you can integrate ClearPass to anything in your IT infrastructure at no extra cost to share contextual information. Firewalls, MDM, TicketSystem, SIEM, etc.. Using build-in Modules or APIs. You can request as well customized APIs. Reference Link https://www.arubanetworks.com/partners/programs/security-exchange/ Reference Link https://www.arubanetworks.com/assets/so/SO_ClearPassExchange.pdf AGENT OR AGENTLESS? Basically, an agent based solution needs a software installed, while an agentless approach don't. Independently of what NAC solution you will use, it is important to understand if you need or not an agent. When a device connects to a network, the agent software performs some actions that have been defined in a central access controller or policy management platform. If persistent, the agent performs auto-remediation functions during a connection and will permanently monitor the device throughout a session to “fix” things that may change. The dissolvable agent: a user clicks on a web portal link to download the agent, which authenticates the user and device, checks the endpoint for compliance, and allows access to the network if policy conditions are met. It then disappears until the user runs it again. ForeScout ForeScout is proud to claim that they don’t require an agent (agentless approach NAC) but this is not completely true. ForeScout needs a “dissolvable agent” for authorization & compliance of unmanaged assets e.g. Employee BYOD, Contractor Laptops, printers, CCTV cameras, Smart TVs, etc. Agentless is fine when all your devices are Windows and all of them are under your management. For none windows devices you will need the dissolvable agent to perform health check and remediation. Based on this explanation having an agent or not is irrelevant for most of the cases. there many identities sources from where you can extract contextual information to help the NAC to do his work, examples are: AD, Wireless AP, End-Point protection software, SCCM, MDM, the Switches, the Firewall, etc... To do this you need integration, this is possible with ForeScout using the extended module /Plugins and normally paying the extra cost. Reference Link: https://www.forescout.com/wp-content/uploads/2018/08/Agentless-Visibility-and-Control-ForeScout-White-Paper.pdf ClearPass Clear pass can run with an agent and without the agent. It hast the persistence option, the dissolvable option for BYOD and Guest devices. It can be easily integrated to the mentioned identity stores at no extra cost. https://www.bradfordnetworks.com/agent-based-agent-less-other-understanding-the-different-ways-to-enable-nac/ http://community.arubanetworks.com/t5/Technology-Blog/When-and-why-agents-for-NAC-It-s-not-a-Secret/ba-p/256672 https://community.extremenetworks.com/extreme/topics/nac-vs-seperate-radius-server 802.1X RADIUS AUTHENTICATION OR NOT Here is one of the major differences. Both support Radius authentication. ClearPass see it like the most secure way to protect your network and ForeScout see it like something complex that you should try to avoid if possible, in my opinion. ForeScout * says: 802.1X presents several deployments, operational and troubleshooting challenges, particularly on wired networks. * To perform RADIUS-based network authentication you need a “Plugin” to forward the authentication requests to an external authentication Sever, like the Microsoft NPS. Page 10, Reference link , you will need as well a Switch Plugin for wired network RADIUS-based deployment and a Wireless plugin for wireless network RADIUS-based deployment. All this sounds like a complexity to me. * By not having 802.1x configured you save also configuring all switches on your network. Which is not a big problem because you do this once during the useful life of the switch. * Not build-in TACACS+ - centralized remote authentication to network devices like switches, routers, etc. Reference Link: https://www.forescout.com/wp-content/uploads/2018/04/CounterACT_RADIUS_4.3.pdf ClearPass: * Is build-in CA and if you like you can use an external CA as well. * Centralizing the radius authentication make the administration and configuration very easy because you don’t have to manage the NAC and the CA separated. * No plugin is needed for non-802.1x Auth and non-domain joined devices. In this case you can enforce machine authentication and many other security layers to allow non-domain devices to safely connect without a certificate. * non-domain devices can automatically or manually be provisioned using a guest network and dissolvable agent. * Integration with the Aruba Wireless system for Radius Authentication is very easy (if you own an Aruba Wireless Infrastructure) and no extra cost. You must configure your switches to work with 802.1x. This can be easily done using a template on HPE IMC. • Build in TACACS+ DEPLOYMENT AND INITIAL POLICY SETUP: ForeScout: preferred method is: I let you in then I find out who you are. • ForeScout CounterACT propose the Post-connect deployment strategy for network visibility and access control in which endpoints are initially allowed access to the network while CounterACT profiles them to determine ownership and compliance. Access to the network is then adjusted based on profiling results and security policy. Reference link: https://www.forescout.com/wp-content/uploads/2016/12/CounterACT-Deployment-Guide-Wired-Post-Connect.pdf This makes sense on new deployments because the NAC can be configured transparent to the end user with no dramatic impact. My question is: What is the process after deployment? Do I let you in then I find a good policy for you? ClearPass: preferred method is: I let you in if you tell me something about you. Then depending on the roles/policies this unknown device will be moved to a quarantine VLAN for remediation or moved to a dead end VLAN. At the same time this will trigger a ticket to helpdesk and a message to the user to know what is happening and what is the next step. SUPPORT, SERVICE and DOCUMENTATION: ForeScout: • The references are very good everywhere you read in internet. Also, the expertise of their engineers. You can browse a little and it won't be hard to find references. Online support, documentation, communities (forescout Chatter), etc. Aruba/HPE The references are very good everywhere you read in internet. Also, the expertise of their engineers. You can browse anywhere on internet and it won't be hard to find references. Online support, documentation, communities (aruba airheads), etc. PRICE: This will depend on many factors. I would suggest that you consult both and make your own decision.
ZF
Sep 24, 2018
Thank for your nice works. I am working on the similar type comparison between Fortescout, FortiNAC(Bradford) and ISE for a project in a healthcare organization.
 

Top Industries

By visitors reading reviews
Educational Organization
29%
Computer Software Company
11%
Government
8%
Financial Services Firm
7%
Educational Organization
32%
Computer Software Company
13%
Manufacturing Company
6%
Government
5%
 

Company Size

By reviewers
Large Enterprise
Midsize Enterprise
Small Business
 

Questions from the Community

What advice do you have for others considering Forescout Platform?
Forescout is a very powerful NAC product that does not rely on port level configuration. It can detect and block unauthorized devices very quickly. But it has a lot of capabilities and really would...
What advice do you have for others considering Forescout Platform?
I would rate the Forescout Device and Visibility Control Platform at a six out of ten.
What advice do you have for others considering Forescout Platform?
I recommend doing a compression demo. If people use it, they will buy it. So they have to see the product in place. That's the main recommendation is to do a proof of concept. If they do, they will...
What is the biggest difference between Aruba ClearPass and FortiNAC?
I've done quite a lot of work with ClearPass, and not a lot with FortiNAC/Bradford. ClearPass incorporates a number of different functions including ClearPass Guest for creating complex wireless g...
How does Cisco ISE compare with Fortinet FortiNAC?
Cisco ISE uses AI endpoint analytics to identify new devices based on their behavior. It will also notify you if someone plugs in with a device that is not allowed and will block it. The user exper...
What do you like most about Fortinet FortiNAC?
The support responds to our queries within two to four hours.
 

Also Known As

Forescout Platform, CounterACT for Endpoint Compliance, ForeScout CounterACT
FortiNAC, Bradford Networks, Bradford Networks Sentry, Network Sentry Family
 

Overview

 

Sample Customers

NHS Sussex, SAP, SEGA, Vistaprint, Miami Children's Hospital, Pioneer Investments, New York Law School, OmnicomGroup, Meritrust
Isavia, Pepperdine University, Medical University of South Carolina, Columbia University Medical Center, Utah Valley University
Find out what your peers are saying about Forescout Platform vs. Fortinet FortiNAC and other solutions. Updated: May 2024.
789,442 professionals have used our research since 2012.