Palo Alto Networks K2-Series alternatives and competitors

We needed to replace our external firewall solution as we were having issues with the HTTPS inspection on our previous solution and the level of support being provided was terrible, leaving us with an issue that could not be fixed for over six months. 

We had already deployed a new internal firewall solution but needed something that would protect that from external factors. We also needed a new solution to replace our client VPN solution. The Check Point solution gave us that as one whole solution instead of having to manage multiple services.

Our policy is to deny all outbound traffic unless we allow it, which can generate a lot of work to build a rule base that allows everything we need to get out. 

This solution has made managing connections out to the web much better due to the categorisation and app control that is available. Being able to say certain apps and services are allowed out, instead of finding all the relevant IPs, has massively reduced the workload. The ability to manage the Client VPN and relevant rules for that in the same location has also improved the way we work. Having links into AD for group membership recognition and having rules based around this has been very useful in improving the way remote users can access the network.

Logging has been excellent. Being able to see all logs from all the various firewalls at different sites in one window has made fault finding much easier. We can see how the traffic is moving through the sites and on which firewall. 

It has also been easy to see machines that may have had infections as we can report easily on devices trying to talk out to sites and services that are known to be dangerous. We have these set up as an HA pair on our main site and we have a lot of audio and video services that go out over the web. 

The failover from one device to the other has been seamless and we find that we do not lose ongoing SIP calls or Teams chats. 

The functionality of the S2S VPN service has been temperamental for us at times and is not always simple to manage or check the state of. 

We find the GUI to be wrong and the CLI doesn't always show all of the connections. 

From a general usability point of view, if you have not used Check Point before, the learning curve is steep. Perhaps managing and configuring the devices could be streamlined for people with less experience so that they can pick it up quicker. There needs to be extra wizards for the out-of-the-box builds.

I've used the solution for six months.

On the firewall side and content filtering side of the solution, it has been faultless. There has been no real downtime to note and the access to the web via relevant rules has always worked as expected.

We have a fairly small setup in the grand scheme of things, however, from what we have seen, the ability to add in new firewalls or increase the hardware spec seems very good and it would be easy to transition from older to newer hardware when the time comes.

Due to the support model we signed up for, we don't deal directly with Check Point support. We deal with the vendor first and they will deal with any 1st/2nd and even most 3rd priority issues. They would then go to Check Point if they need more assistance on our behalf. The level of support and responsiveness of their support has been excellent. We're always getting at least a response within a few hours, even on a P3/P4 issue.

Positive

We did have another solution, but due to an issue with the HTTPS inspection that the manufacturer was not able to properly rectify or fix for 6 months, we lost faith in their ability to provide adequate support going forward for any issues we might come across. 

The setup was complex due to the nature of the Check Point firewalls and us having to make some config setup in one portal and others on the CLI. We also had to arrange the rule base via the management console. There could be 3 different places you need to make various changes. We also used private microwave links as redundancy for VPN connections and that had caused significant issues in getting set up as the link selection did not cooperate at first.

We implemented via a vendor and I have to say their level of expertise was brilliant. Every question we threw at them, they were able to provide an answer to. 

It was not the cheapest solution to go for, but the amount of admin time that has been saved by the use of Check Point firewalls has definitely given us a great return, giving us more time to work on other aspects of our network. Also, being able to consolidate 2 solutions (Firewall and Client VPN) into one solution has saved more money and admin time. 

We found that Check Point was very flexible with its pricing. We were looking at a spec of hardware in other solutions. We found that Check Point did not have a direct competitor, but to help with the bid, they managed to reduce the costs of their higher-spec hardware to make it competitive with the other solutions we were looking at. It's not our fault they did not produce the hardware of a similar spec. It's up to them to try and provide a solution that would make it a competitive solution. 

We looked at several other solutions in including Palo Alto at the top of the market and Sophos XG further down.

I would say as good as the solution is, if you are looking to get the most out of it, you should look to get a company or consultant who knows the Check Point solution inside out to assist with the setup. We found a partner who specialized in Check Point and we would not have been able to get it to the stage we have without them.

In some instances, we are using it in a virtual appliance in a VMware environment.

I will not rely on Sophos to build my infrastructure. For that, I will go to Fortinet or Palo Alto. However, from an end-user management perspective and the granular control and the reporting stuff, I still prefer Sophos. 

We are using Sophos as our internet gateway for specific sites that don't have to do with the backend tunneling and the infrastructure and all that stuff.

I have found some difficulties in other products, like in Fortinet, where there is no end-user visibility in a presentable form that non-technical people can interpret. I'm talking more specifically about non-technical management. You have to present something. Apart from that, the end-user integration is fine if you are using it for NCL and or as an internet gateway. Sophos allows for more visibility.

However, as far as infrastructure is concerned, if I have to apply this as a device in my data center or at any critical point, this device fails to perform. The hardware is not up to par. Even if I answered from proxy to transparent, transparent proxy to the full proxy mode, there are some hardware difficulties.

The centralized security is very good. 

The heartbeat system, the reporting management, and the electoral control that is achieved when the Sophos XGS is integrated with the Sophos endpoint is great.

It's close to the top of the line, alongside Trend Micro in terms of security reporting.

It is easy to set up.

I have observed that there are some reliability issues with these products in regard to the hardware performance and RMS.

I've witnessed many devices go down - even three on the same day. I've never seen that, for example, with Fortinet.

The stability could be a bit better.

I would like to have a proper SD-WAN orchestration solution. They are working on it. However, it still needs some improvement. Apart from that, it would be better if they provide the email gateway and the WAF not as a feature in the existing XG but as a dedicated appliance. Barracuda and Fortinet, for example, are providing dedicated services for the WAF and email gateway. Compared to that, Sophos is not up to the same level.

I've used the solution for around five years.

While their endpoint is a stable solution, their firewall needs to be improved in regard to integration with other products. I have specifically witnessed a case where we tried to integrate Sophos XG with the DLP product by Force Point. That wasn't supported right away. FortiGate was supporting that particular model.

I would like to have scalable products, however, normally what I have witnessed is that every new product that they push out or any additional feature that they push out in a new VMware version or specifically for the firewall may have some stability issues. So scalability at the cost of stability is not an option for me.

We have about 250 to 300 users. We have multiple branches that use this product. Usually, it's the development team, and hardware and software users. 

We may expand usage. It will depend on the additional sites we may operationalize soon.

I've had some direct escalation experiences with the country manager and their technical lead. I tend to get a good response.

While in general technical support can be better sometimes, as far as their resolutions are concerned, the team is providing us with technical assistance, and their approach to resolutions can be a bit tricky. Normally they try to avoid dealing with the solution so you have to dig it out and you have to work on it yourself, or you have to push them that there must be a solution.

Neutral

I have some expertise in Sophos and Fortinet; I'm not so sure about Cisco. We are also using Palo Alto.

We had some granular control in Sophos that was a bit advantageous to us. That's why switched. Also, the reporting, AD integration and the Sophos endpoint integration were key drivers in making the change.

The solution is simple to set up. It's not overly complex. It only takes a couple of minutes. 

YOu only need one person to handle maintenance. 

I handled the initial setup myself. 

We pay for the solution on a yearly basis, and it is fine. The renewal costs are typically reasonable. If you compare the general cost to Fortinet or Palo Alto, it's lower and more affordable. YOu can also pay for extra support.

We are a Sophos end-user.

For small enterprises or even for some enterprises that do not require large infrastructure, I would recommend Sophos right away. In Pakistan, we have to present something to the management and most of the time the management of the company is non-technical. So the presentability factor and the users' granular control and integration factor, make it attractive. This product can be used as an internet gateway. I have already recommended it to multiple users not for the infrastructure but for the internet gateway or as a proxy service.

I'd rate the solution a seven out of ten. Some features still need improvement or to be built out, like  proper orchestrations or dedicated services.

I can't put Cisco on the firewall when the security landscape has changed so much in the past five to ten years. We are doing a lot more in the next generation of firewalls. We had a legacy classic firewall before we went to Firepower, and we spent a lot less time on that firewall, but we are spending more time on the Firepower because we are utilizing a lot of the features that are available in Firepower that were not available in the previous firewall that we had. I'm not going to say that we're spending less time, but we're gaining more value.

Another benefit has been user integration. We try to integrate our policies so that we can create policies based on active users. We can create policies based on who is accessing a resource instead of just IP addresses and ports.

If I were to have been asked a few weeks ago, I would have said threat prevention was the most valuable feature, but the world is changing a lot, so my favorite features a few years ago might not be my favorite features today.

The visibility the solution gives when doing deep packet inspection can be complex. I really like the visibility, but it's not always intuitive to use. I also help other customers. We are a contracting company that implements their solutions, and I've found that it's not always easy to get everyone to utilize some of the visibility features. But for me personally, I think they're very valuable. 

The ease of use when it comes to managing Cisco Firepower has a lot of room for improvement. When monitoring a large set of firewall policies, the user interface could be lighter. It's sometimes heavy in use, and there could be improvements there. I know they're trying to make improvements.

It's mainly the UI and the management parts that need improvement. The most impactful feature when you're using it is the user interface and the user experience.

We were an early adopter when Firepower first came out. I've been using Cisco firewalls for the last two decades.

For newer hardware models, the stability is good. We've tried to run Firepower on some of the legacy-supported hardware as well, but with the stability issues, they are not as good. If I were to judge based on the hardware that I have, I'd say it's good. I haven't had any issues with the stability on my platform.

We just recently enabled Snort 3 so I'm evaluating the functionality. That's what we've considered, but we haven't done any performance testing. Our company would qualify as a small to medium business company. The average office environment is about 100 to 200 people. Performance-wise, my company is about 120 people.

Scalability is really not relevant. I know there are features that address some of those parts, like clustering and stuff, but that's really not applicable in my use cases.

The support is eight to nine out of ten. You can't blame them for any faults of the prototypes, but the support has been really good and really helpful when we had any issues.

I have hands-on experience in both Fortinet and Palo Alto. So if I were to compare this to Palo Alto, for example, I would say that the user interface in Palo Alto is a lot better. But the reason that I'm working with Firepower is that we have a Cisco network as well, and Cisco ISE. We're trying to integrate different Cisco solutions. We're trying to utilize the ecosystem benefits where I can connect my Cisco Firepower to ISE and have it talk to the App Cloud. There's a benefit of utilizing Cisco Firepower in conjunction with our other Cisco solutions.

Ease of management is similar with Cisco and Fortinet, I would say similar, but it's easier in Palo Alto.

I recently deployed a similar solution at a customer's premises, and that setup was straightforward.

The steps are fairly documented and the documentation and guides on Cisco are straightforward. You know what you're expected to configure, and it's easy to get up, running, and started. It takes some more time to check everything and get everything as you want to have it, but getting started and getting connectivity and starting to create policies was easy to do and didn't take a very long time.

It took two to four hours, including some upgrades.

My main advice would be to utilize all the guides and documentation available from Cisco publicly and not trying to implement it using legacy thinking. Don't try to just replace something else you have. If you have a next-gen firewall, you want to try to utilize what you're getting, and getting the most out of a firewall. There are some great guides and documentation on Cisco that explains what you can do and how you can do it.

I would rate it a seven out of ten. 

Most organizations use the Fortinet firewall as perimeter security at the gateway level.

FortiGate has threat protection, antivirus, and even SSL encryption and decryption. So FortiGate is primarily used for security purposes. And a few customers also use this firewall for web filtering and application control. So these are the two features for which people use FortiGate.

FortiGate is primarily a gateway,  but customers also use web filter threat protection and application control. And some people use it as a special VPN for remote access. I recently deployed one virtual firewall where they're only using the FortiGate firewall for VPN. I can't say one feature is the most valuable because it's a bundle solution. So no one uses FortiGate for just one single feature. 

Currently, FortiGate is providing SSL VPN. But they're missing some features that are available in Palo Alto's SSL VPN. Palo Alto provides a compliance check along with the VPN, and they have a very broad checklist. So Palo Alto's global protection can scan and check multiple things, and we can choose what access users can have based on compliance with policies. So I think this is one area where FortiGate can improve. Also, multi-factor authentication isn't native to FortiGate. If you want to incorporate multi-factor authentication, you have to add a secondary or third-party solution. 

I've been using FortiGate for around five years.

Before version 6.0, FortiGate's firewall performed well enough, but lately, they've introduced so many features. After that, its stability has been somewhat lacking. This is because they're constantly updating their firmware. So it was pretty stable, but nowadays, it's not that stable.

I haven't worked on the scalability side because most of the time, the pre-sales tools are relatively bigger devices. So right now, I haven't faced any issues with scalability. They have some larger devices for the data center. So if we talk about their hardware, I think they're capable of handling around 10,000 to 15,000 people on a single device. But if you go with the virtual environment, I don't think there is a problem. Fortinet has a single OS that we can deploy on whatever hardware capacity we want to configure over there or through virtualization.

Fortinet support is good. They resolve tickets relatively fast. So we've had no issues with that. And I don't know about other regions, but in my region, the salespeople working with Fortinet are strong. They're aggressively working on the sales part. So in the Pune region and the rest of Maharashtra, they're winning more contracts, and people are using FortiGate Firewall.

The management console is pretty simple, so anyone who understands networking can initially deploy the solution. But you need some good hands-on experience for advanced configuration. The amount of time required to deploy depends upon the project and also the organization. So it takes around four to five days to deploy a smaller device. And for the largest device, it takes around a maximum of two months. We do the deployment on our own. So we have a sales team, a pre-sales team, and a deployment team. Our sales team gets this and handles the sales end. After that, we come into the picture. So we do the whole migration, as well as the new implementation and everything. It should take no more than two people to deploy. If we want to migrate from one Fortinet device to another, then we use the command line. They have some script in their firmware, and we can migrate the script directly from the older firewall to the new one. So it isn't too complex.

I'm somewhat aware of the pricing, but most of the time, the pre-sales staff only defines their requirements. And we get the licenses at the time of implementation, then register and activate them. But I think Fortinet has multiple packages. They sell licenses for a period of one, three, or five years. They also have special add-on licenses for various things. So, for example, if you want to get a security rating for the firmware configuration and everything, you need to purchase an additional security license. And if you want to do some IoT-related security, you also need to purchase separate licenses. 

I rate FortiGate eight out of 10 based on the performance, stability, performance, management, rights, and features. So most people lack SSL encryption and the certificate part. Those servers are running behind the FortiGate firewall. And most of the people I've seen are not using SSL encryption over there. And even for internet purposes, they're not using deep scanning.  So my suggestion to people thinking about using FortiGate is to prepare a plan before implementation and implement those things in inbound inspection and outbound inspection. This is recommended. And also, if you have multiple band links, then you must use SD-WAN. They have SD-WAN options in the FortiGate firewall. It's a pretty good feature. So you can use that to improve your stability and performance.

We primarily use the solution for basic access, filtering, and more. 

We have set up the IPsec VPN through that. It's a UTM device.

It's easy to manage, actually. It's a UTM device rather than a normal firewall as compared to Cisco PIX, or Juniper. 

The web filtering is a key feature of almost every firewall. However, this appliance is more secure, reliable, and stable. We haven't had any problems, so far.

For ten to 12 years it has been quite secure.

It's scalable.

Policy management is very easy, and configuration is very easy as well. 

The support is also good.

Real-time threat monitoring is not there. The traffic hitting the firewall needs to be improved to have real-time monitoring. Traffic should be more visible and should be available on the dashboard. Even if something is blocked, we should be able to see the traffic. We need a security posture showing the organization's security posture to see the traffic hitting the firewall, the user or entity behavior, et cetera. If there's an abnormality, it should be reported. We need to be able to generate multiple reports and see everything in the logs. Logs are only available for a week; we should have them visible for up to three or six months or even a year.  

It can be a bit expensive.

If you have an emergency and need support immediately, it can be hard to reach them as they don't have a direct number to call. 

I've been working with the solution since 2007.

This is reliable, stable, and problem-free. There are no bugs or glitches. It doesn't crash or freeze. I'd rate the product five out of five in terms of stability.

It is a scalable solution. It's easy to expand. That said, appliance to appliance, there is a limitation. However, I would rate it four out of five in terms of scaling capability. 

Our organization has 400 to 500 people on the solution right now. There's another organization as well that has 300 people using it. Overall, 10,000 or more people are likely using it across 2,000 locations. Every location has one or two firewalls to make it redundant in a failover mode. If one fails or one stops working, the other will take over. That never happens, however, it ensures we're safe and covered.  

Technical support is great. They are helpful and responsive. 

We have to send emails to get assistance. The response time is good, however, if something is an emergency, then it is difficult to reach people. There is no number to call to get help right away. 

Positive

I have previous experience with Palo Alto and Juniper. We also have used Cisco.

I didn't choose Fortinet. It was already being used when I came along. It was a standard practice to use Fortinet across locations worldwide. 

The initial setup is not complex. It's very straightforward and quite simple. 

It has an easy initial setup process. Three people we involved in the setup process.

We first set up the basic policy, and then we did an IPsec VPN, and then, based on the access requirement of each business vertical, we manage the setup. We define the access website URLs that will be restricted or allowed, including port blocking, et cetera.

The time it takes to set up varies. Sometimes it's a night or a few hours, sometimes it's up to ten days. A basic setup will not take one or two hours.

We handled the process of implementation in-house. We did not need outside assistance.

We have not done an ROI calculation to see if there is anything there to note. 

We pay a yearly licensing fee, however, in India, you can get licensing for up to two years. It is a bit expensive. That said, I haven't done a comparative analysis with other options on the market.

I'd rate it a four out of five in terms of affordability.

We're Fortinet clients. 

We are using the latest version of the solution. 

We are using Fortinet 60D, 80E, and 100 also.

I'd rate this solution nine out of ten.