"The most valuable feature is the access control list (ACL)."
"The feature set is fine and is rarely a problem."
"One of the nice things about Firepower is that you can set it to discover the environment. If that is happening, then Firepower is learning about every device, software operating system, and application running inside or across your environment. Then, you can leverage the discovery intelligence to get Firepower to select the most appropriate intrusion prevention rules to use for your environment rather than picking one of the base policies that might have 50,000 IPS rules in it, which can put a lot of overhead on your firewall. If you choose the recommendations, as long as you update them regularly, you might be able to get your rule set down to only 1,000 or 1,500, which is a significant reduction in a base rule set. This means that the firewall will give you better performance because there are less rules being checked unnecessarily. That is really useful."
"Provides good integrations and reporting."
"Its Snort 3 IPS has better flexibility as far as being able to write rules. This gives me better granularity."
"Web filtering is a big improvement for us. The previous version we used, the AC520, did not have that feature included. It was not very easy for us, especially because the environment had to be isolated and we needed to get updates from outside, such as Windows patches. That feature has really helped us when we are going outside to pull those patches."
"IPS and Snort are very important because they also differentiate Cisco from other vendors and competitors."
"The most valuable features of this solution are advanced malware protection, IPS, and IDS."
"The most valuable features are the enterprise modeling and the simple interface."
"It is easy to manage, and it doesn't need much knowledge from the team. It is a stable device, and there are many features that are included out of the box."
"FortiGate has a very strong unified threat management system."
"User-friendly and affordable security solution that's recommended for SMB customers. This solution has good technical support."
"The interface is very good."
"I have found Fortinet FortiGate to be scalable."
"Its administrative panel is very intuitive and simple. It is simpler than the other solutions that we had. As an administrator, we are always looking for the easiest solution to manage network policies. We are able to filter everything on our network and also use the VPN feature, which is important these days when people are working remotely during COVID."
"The license management is very valuable. You can get a new license each year, or you can enroll every two to four years. You can get the logs, and you will get the information on the risk in your network and the entire organization. With this information, you can take action on your actives, computers, or devices. You can bring your own device as an SSE."
"Overall, we're very happy with our product."
"The protection is most valuable."
"Zscaler Internet Access has helped us reduce the time that we spend managing security policies by about four hours a week. We can use this time to focus on other things, especially the IT team."
"For our needs, the cloud-native proxy architecture is a very good solution. We are moving away from on-prem appliances and moving more toward cloud-based solutions. Zscaler is a good fit for our strategy. This architecture helps with cyber threats because we inspect most of the traffic and we can see that a lot of threats are stopped directly in the secure web gateway."
"The solution is scalable and stable."
"Zscaler Internet Access protects using data loss prevention. If you have a CASB exposing your cloud out into the network, then Zscaler Internet Access will go ahead and control that unknown cloud application in the CASB, protecting it. There is also data detection with exact data match. This improves the data coming into your cloud so you are protecting it."
"Zscaler Internet Access's roaming user feature is most valuable and is much better compared to other secure web gateways."
"The most valuable features I found in Zscaler Internet Access are the restriction of users for a particular URL, the security feature related to stopping DDoS, and the VPN."
"When you make any changes, irrespective of whether they are big or small, Firepower takes too much time. It is very time-consuming. Even for small changes, you have to wait for 60 seconds or maybe more, which is not good. Similarly, when you have many IPS rules and policies, it slows down, and there is an impact on its performance."
"My team tells me that other solutions such as Fortinet and Palo Alto are easier to implement."
"The change-deployment time can always be improved. Even at 50 seconds, it's longer than some of its competitors. I would challenge Cisco to continue to improve in that area."
"The performance should be improved."
"Cisco makes horrible UIs, so the interface is something that should be improved."
"The application detection feature of this solution could be improved as well as its integration with other solutions."
"The main problem we have is that things work okay until we upgrade the firmware, at which point, everything changes, and the net stops working."
"The visibility for VPN is one big part. The policy administration could be improved in terms of customizations and flexibility for changing it to our needs."
"The command line is complicated, and the interface could be better."
"Technical support is good but the response time could be faster."
"FortiGate should have a better way of detecting and managing the system memory because otherwise if the memory is too low, a system restart is required."
"The customization could be improved. Cisco, for example, is much better at this. They need to work to be at least as good as they are."
"We had some issues in the beginning while setting it up, but after doing the firmware update, it is working fine."
"Price, of course, can always be more competitive or better."
"The solution needs to improve its integration with cybersecurity."
"Backup can be improved."
"What could be improved in Zscaler Internet Access is its price. It could be cheaper."
"There are a few features that are not compatible with the Azure cloud."
"Sometimes, support isn't available."
"They could provide more time for the onboarding the training of an IT person."
"One thing that they could improve is the ability to import rules from other platforms."
"The performance needs improvement. Some areas create performance issues and, depending on the use cases, require reconfiguration to perform again."
"Zscaler needs to add client-to-client communication. It's always client-to-server communication. The cloud and branch connectors could be improved because we're still dependent on traditional firewalls. They should eliminate this. They should also provide WAN devices should to compete with the SD-WAN solutions also."
"Zscaler Internet Access's troubleshooting is very limited, and their textbook logs need to be more informative."
More Cisco Firepower NGFW Firewall Pricing and Cost Advice →
Fortinet FortiGate is ranked 1st in Firewalls with 166 reviews while Zscaler Internet Access is ranked 2nd in Secure Web Gateways (SWG) with 17 reviews. Fortinet FortiGate is rated 8.4, while Zscaler Internet Access is rated 8.6. The top reviewer of Fortinet FortiGate writes "Stable, easy to set up, and offers good ROI". On the other hand, the top reviewer of Zscaler Internet Access writes " AI decision-making on quarantined documents reduces manual work". Fortinet FortiGate is most compared with pfSense, Cisco ASA Firewall, Sophos XG, Check Point NGFW and SonicWall TZ, whereas Zscaler Internet Access is most compared with Cisco Umbrella, Netskope CASB, Microsoft Defender for Cloud Apps, Palo Alto Networks WildFire and Appgate SDP. See our Fortinet FortiGate vs. Zscaler Internet Access report.
We monitor all Firewalls reviews to prevent fraudulent reviews and keep review quality high. We do not post reviews by company employees or direct competitors. We validate each review for authenticity via cross-reference with LinkedIn, and personal follow-up with the reviewer when necessary.
Bluecoat and Forcepoint offer credible solutions. Think through where your users are and what they connect to. A mobile workforce may need an agent and a cloud gateway (unless you force them back to base over VPN) but may give problems if connecting to sites that whitelist you by IP. And not all providers have good global breakout points. Be particularly careful if you work in China.
My recommendation is Cisco Meraki MX84 with advanced security license (its have two kind of license Advanced security and Enterprise licenses).
I recommend Fortigate
All FortiGate appliances are powered by the FortiOS™ operating system with the following features and benefits:
Features. Firewall, Virtual Private Networking (VPN), AntiVirus, Intrusion Prevention, Web Filtering, DLP, and anti-spam; AntiVirus /Antispyware
Answer is , it depends... If you do any web based business with Banks or Governments then get a hardware solution like Bluecoat or Fortinet because web based providers can not provide you with a static source IP and you will fail security checks. I've been involved in corporate moves to the "cloud" using Zscaler and both went very wrong, very fast, a year later and they still have monthly outages because of the "cloud" providing random source IP's. If this is for a public internet access outside of your corporate network then you should be fine otherwise I suggest hardware you control.
This is a "how long is a piece of string?" type question. As the other vendors have said it is hard to recommend something fully without knowing all the background. Your background did stipulate that you had multiple sites and you were growing. Having a traditional deployment scenario will mean that you need to have a "box" at each site and add more boxes as you add more sites. Going with a more modern solution like Zscaler will allow more rapid growth opportunities - just add users, no matter where they are - also this allows you to restrict with a single policy in the cloud rather than on each device.
AS others have said, be mindful of the proximity of the Zscaler because of latency, but they do have >100 POPS which you will probably find pretty local.
Overall, there is a lot more research you can do, but I'm leaning towards a cloud offering from the branches. You might consider an SD-WAN device at each branch that also has FW built in. This would give you connectivity resilience at a much lower price, but perhaps this is a debate for another day :-)
Cisco Meraki is an excellent solution in the cloud, has AMP included and can be integrated with Umbrella and Thread Grid.
We use Fortigates for web filtering and security. We are a global company with > 10,000 users.
This protects all users on our internal network. Remote users can use the Fortinet FortiClient for remote AV and web filtering protection.
We used Zscaler several years ago but we were unhappy with latency for complex websites and managing PAC files was difficult.
Since you are going for a web security. Zscalar web security solution will be my recommendation considering its robust features and vast threat intelligence base. It is best you go for the cloud solution since you are working across sites.