it_user362526 - PeerSpot reviewer
User at a tech company with 51-200 employees
  • 12
  • 182

Fortinet vs Sophos? Help choose a NGFW solution that can replace Microsoft TMG.

Wanted to get some firsthand input on Fortinet vs Sophos and how seamless the transition from TMG was.

Sophos: Has anyone transitioned/migrated on to the new Sophos XG Platform (a combination of the Astaro and Cyberoam) yet, if so are all the TMG replacement technologies still present on the new platform? Are we better off sticking to the current tried and true UTM 9 offering or jump onboard to the brand-new XG Platform?

Also how is the overall effectiveness of Sophos as NGFW. The results I saw from a couple of security lab reports is a bit concerning?

Fortinet: Is a FortiWeb (appliance or VM) absolutely required on top of a FortiGate Firewall for Reverse Proxy services for OWA, SharePoint, Terminal Services Gateway, etc; Inbound/Outbound SSL Bridging & Inspection, Web Proxy, single sign on user authentication(AD integration), etc... Are there any major TMG feature gaps missing from the Fortinet’s?

How easy or difficult was the transition with the Fortinet solution? Is their tech support as bad as I’ve read on a few threads?

PeerSpot user
11 Answers
Dusko Petrovic - PeerSpot reviewer
Chairman & CEO at Digit Montenegro
Top 20
Dec 30, 2015

It depends. If you don’t need to pre-authenticate your OWA/SharePoint users before they reach your server, then FortiGate on its own could do the job. But keep in mind that FortiGate is not a Reverse Proxy solution. Yes, FortiGate can do OWA and SharePoint publishing on its own (with Virtual IPs or Server Load Balancing), and it can scan that traffic with IPS/Antimalware/DLP/Web Filter/Antispam, but it cannot authenticate the users on behalf of the OWA or SharePoint. It can inspect SSL traffic, but it cannot perform SSL Offloading for these services. Also, FortiGate cannot do URL rewriting (necessary, for example, if you want to automatically redirect all clients who are accessing your OWA server from HTTP to HTTPS). So, if you are looking for a full-fledged reverse proxy solution, then a FortiWeb is required.

On the other hand, FortiGate can serve pretty well like a Web Proxy (if sized appropriately). It supports Web Caching and PAC script. It also supports SSO with AD, Novell and RADIUS, so it is a great alternative to TMG in this respect. Gaps, as mentioned, are related to Reverse Proxy functionality: External User SSO Authentication and SSL Offloading are missing.

Fortinet went a long way to replace the TMG with the FortiWeb, so the transition should not be a problem for savvy users who understand the basic principles of a WAF and know that FortiWeb is not an UTM device.

Our experience with the Fortinet tech support was almost entirely positive. Never did they tell us that something is not their issue or that some other vendor’s product is responsible for our problems – they always helped us as much as they could. For example, recently I’ve had some trouble connecting the FortiMail with an IBM StorWize storage via iSCSI. Fortinet tech support really dive into the problem, while IBM support almost immediately responded that the FortiMail is not supported as an iSCSI host, and that we should try to connect from a supported iSCSI host (Windows). Naturally, the problem was on the IBM side. And we always get the impression they are really trying to resolve the issue at hand, they’re not just referencing you to some random documentation and giving generic recommendations (like ‘restart the device’, ‘upgrade the firmware’, etc.). But, I must say that I’m talking from the Fortinet Gold Partner perspective, I don’t really have much insight on how they treat end users. Except that we had no complaints so far. Off course, this is a two-way street. You have to do your part well, and describe the problem (and diagnostic steps already performed) thoroughly, so that they are able to really help you and not waist their (and yours) time on basic diagnostics.

We have no experience with Sophos.

Search for a product comparison in Firewalls
it_user216600 - PeerSpot reviewer
Senior Technical Consultant with 51-200 employees
Dec 29, 2015

I have used both Sophos and Fortinet products in production and I have found the Sophos UTM appliances (hardware and virtual) to be a better fit most of the time -- with a few caveats which I will touch on below. In both instances, the transition from TMG will be mostly straightforward. The main hang-ups will be with the VIP/load balancing and SSL. For some reason that completely escapes me, both of these vendors make getting valid certificates onto their boxes unnecessarily difficult -- the Fortinet appliances more so than the Sophos UTM appliances. At one point a Fortinet engineer had to write an entire manual on how to get an SSL certificate uploaded successfully on the 4.x firmware.

Sophos: The one feature that is missing (and this makes some amount of sense) from the Sophos appliance is BITS caching for updates. Other than that, Sophos offers a full replacement for TMG on UTM9. The XG platform also offers a replacement for the TMG; however, some of the rumblings about upcoming releases suggests that Sophos is going to give XG the Apple iOS treatment and "streamline" the interface...potentially cutting out/hiding some functionality. On the effectiveness of the NGFW, Sophos is mostly good but has a few issues blocking all pieces of an application. For instance, we had to build custom blocking rules for OpenVPN (the vpn was being used to bypass the content filter) because the default Application Control wasn't effectively blocking the application.

Fortinet: If it wasn't for Fortinet's terrible tech support we would still be deploying Fortigates exclusively. So perhaps that answers your last question right upfront. FortiWeb is not absolutely required for what you are proposing; however, the FortiWeb does make the transition from TMG much easier as the FortiWeb is purpose-built to do what you are requiring. Related, the AD-integration used with Fortinet is one of the strongest implementations we have used: The SSO agents ability to poll data from the DCs without an agent allows the use of SSO with non-Windows machines that are bound to AD, which we have used extensively at both educational institutions and shops running CentOS. Transitioning to Fortinet is relatively simple: The UI makes a lot more sense than it did in the old 4.x releases, the firewall rules are straight-forward, and the reverse proxy settings are well-documented.

it_user308598 - PeerSpot reviewer
User at a tech company with 51-200 employees
Jan 4, 2016

I missed the bit about their tech support. It really does leave a lot to be desired. Most of the issues you’re able to sort out yourself or make use of the forums available. The issues are generally the same across the board so you’ll most likely find a solution or something similar to help point you in the right direction.

it_user308598 - PeerSpot reviewer
User at a tech company with 51-200 employees
Jan 4, 2016

I don’t really know Sophos all that well so can’t comment on that particular piece of kit.

However in terms of moving from TMG and Cisco ASA to NGFW the process is quite seamless. Aside from if you’re using TMG to do URL forwarding you’ll have to do a bit of a custom jobby to get that going. The only means of doing URL forwarding is by utilising the explicit proxy feature. Not exactly the same but close enough.

The Fortigate isn’t able to host any certificates for exchange or any of the like. The only certificates that you’re able to upload on to it are the ones specifically used for ssl inspection, vpn, wifi and to prevent certificate warnings when connecting to the browser based management console.

We’ve not needed to use FortiWeb as of yet as the Fortigate covers all of the customers requirements. One thing that I can suggest is an absolute must for logging is a FortiAnalyzer. The virtual edition works very well and comes in at much lower cost.

it_user71988 - PeerSpot reviewer
Sales at Barracuda Networks
Dec 30, 2015

Try Barracuda Loadbalancer ADC. Worked for me to replace TMG at a way lower pricepoint than any NGFW.

it_user260103 - PeerSpot reviewer
Technical Writer at Sophos
Dec 30, 2015

Hi reviewer362526,

In addition to the already excellent points covered by Michael above, here are answers to your queries:

The Web Application Firewall (WAF) module running in the new Sophos XG Firewall is the same as that in Sophos UTM 9.X. Meaning, the XG Firewall inherits ALL web server protection features present in Sophos UTM. Put simply, just like Sophos UTM, the XG Firewall also offers a FULL and seamless replacement for the TMG.

About the concern Michael has raised related to the "streamlined" interface in XG Firewall that "could result in cutting out/hiding some functionality" - the new UI in XG Firewall is meant to provide quick access to all the features you need without unnecessary complexity. Rest assured, neither does the XG Firewall cut out or hide any WAF feature of Sophos UTM nor do we plan to do so :)

In fact, the XG Firewall goes a step ahead of Sophos UTM and makes the transition from TMG even smoother with its ALL NEW pre-defined WAF policy templates that let you protect common applications like Microsoft Exchange or SharePoint fast. Simply select them from a list, provide some basic information and the template takes care of the rest. It sets all the inbound/ outbound firewall rules and security settings for you automatically - displaying the final policy in a statement in plain English!

Also, check out this TMG replacement guide by Sophos:

Coming to your queries related to Fortinet:

1. Is a FortiWeb appliance absolutely required on top of a FortiGate Firewall...?
As mentioned by Michael, you do not necessarily need a FortiWeb appliance on top of a FortiGate unit to fulfill the requirements you cited above. Reason being, with the new FOS 5.4.0 released a week back, FortGate has caught up a lot as far as features related to protecting web servers is concerned. That said, FortiGate still doesn't have a proper WAF. It seems to be a collection of Web Application attack block by signature, maybe taken from their IPS/AppControl.

2. Are there any major TMG feature gaps missing from the Fortinet’s?
Yes, FortiGate still doesn't support following TMG features:
- Reverse Proxy
- Reverse Proxy SSL Offloading and
- Reverse Proxy Authentication

Coming back your 1st query, if you need these "must-have" TMG features, you MUST buy a FortiWeb appliance (which is priced separately) on top of a FortiGate unit!

3. Is Fortinet's tech support as bad as I’ve read on a few threads?
Again, as mentioned by Michael, Fortinet's tech support is just horrible.

Feel free to get back if you need further assistance with this :)

Learn what your peers think about Sophos XG. Get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
686,748 professionals have used our research since 2012.
Dec 30, 2015

Unfortunately I don’t have experienced with both Fortinet and Sophos, I would recommend the member to try out WebSense as it would cover all his/her requirements and more.

it_user337590 - PeerSpot reviewer
CTO at a tech services company
Dec 29, 2015

If you want my word on NGFW, it doesn't include Sophos nor Fortinet. Those
are "light" UTM solutions who see mostly "clean" networks even when they
are seriously compromised.

If you want to get serious, choose either Palo Alto Networks or Checkpoint
Security appliances.

Our company produce our own range of high performing IDS/IPS appliances,
which have the highest visibility. you can check them at: www.aensis.com

it_user352776 - PeerSpot reviewer
IT Division at Lais s.r.l.
Dec 29, 2015

take a loot also to this solution
this has a better UTM based on RFCs, Sophos is always the best for proxy features

it_user314634 - PeerSpot reviewer
CEO at a tech services company with 51-200 employees
Dec 29, 2015

There are many arguments for choosing Stonegate.

it_user181821 - PeerSpot reviewer
Security Expert at a financial services firm
Dec 29, 2015

Most definitely Fortinet been far longer involved in the firewall business
than SOPHOS better maturity and functionality.

Related Questions
Specialist at Bloque de Armas
Jan 3, 2023
Hello peers,  I work at a media company and am researching firewalls. What are the differences between WatchGuard 390 and FortiGate 80F? Which solution do you prefer and why? Thank you for your help.
See 2 answers
Instrutor at a tech services company with 1,001-5,000 employees
Dec 20, 2022
Hello, The 820 and 850 belong to the family 800 of Palo Alto Firewall.I caught a comparison between both firewalls on the Palo Alto site and I believe it will help with your decision.Regards820 and 850 comparison
Head of Customer Success at a tech services company with 51-200 employees
Jan 3, 2023
Firewall - Appliance Performance Analysis S.No Technical Parameter Watchguard M390 Fortigate 80F 1 IPS Throughput 3.3 Gbps 1.4 Gbps 2 NGFW 5.8 Gbps 1 Gbps 3 Threat Protection 1.47 Gbps 900 Mbps 4 Total no of RJ45 ports 8 GbE Ports 8 GbE Ports 5 Concurrent Sessions 4.5 million 1.5 million 6 New Sessions per second 98000 45000 The WatchGuard M390 NGFW Appliance gives on average 2 + times better performance than the FortiGate 80F
Jan 13, 2023
Hello peers, We are looking for a firewall solution in Fortigate for a software training institution with 2000 students. Each student has one laptop and two mobile phones (maximum). There are four Internet connections, two broadbands, and two leased lines (optical fiber). There is no need for content filtering and application control. We need a solution for load balancing and traffic shaping. ...
2 out of 7 answers
Shibu Babuchandran - PeerSpot reviewer
Regional Manager/ Service Delivery Manager at a tech services company with 201-500 employees
Dec 7, 2022
Hi @Gulzar C ​, Some of the preferred solutions seen in educational institutes are mentioned below: Sophos. Fortinet Fortigate. Juniper SRX Firewall. SonicWall.
Director at REDCO
Dec 7, 2022
Untangle was born in the educational sector, and now it has been acquired by Arista in case you would like to check it out. Any solution is recommended, it all depends on the budget, you can also check pfSense which is free. fatpipeinc.com is a native solution for balancing WAN, VERSA for 8 wan, FortiGate, Sophos, VMware and Cisco are the leaders on Gartner. Greetings 
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Hi dear community members, In this edition of PeerSpot's Community Spotlight, you can find out what your peers are discussing and join in the conversation. Ask and answer questions on the topics that interest you most! Read and respond to articles or contribute your own! Trending These are the topics your peers are talking about on PeerSpot this week How do I estimate the requir...
See 1 comment
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Thank you to all the community members who share their knowledge with other peers! Also, special thanks to the articles' contributors included in this Community Spotlight: @Janet Staver, @Abhirup Sarkar, @Manoj Narayanan, @Beth Safire and @Shibu Babuchandran.
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Director of Community at PeerSpot (formerly IT Central Station)
May 30, 2022
Hi peers, This is our new bi-weekly Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members.  Articles Check the top products and solutions below (selected based on peer reviews) or contribute your own article! Top Security Orchestration Automation and Response (SOAR) Solutions Top 8 Data Loss Prevention (DL...
Director of Community at PeerSpot (formerly IT Central Station)
Jul 11, 2022
Hi community members, As usual, this new Community Spotlight shares with you the latest articles, questions and trending discussions from your peers. Trending See what is trending at the moment and chime in to discuss! Top 8 Extended Detection and Response (XDR) Tools 2022 Would you recommend replacing Cisco ASA Firewall with Fortinet FortiGate FG 100F due to cost reasons? What is the...
See 2 comments
Performance and Fault-tolerance Architect with 1,001-5,000 employees
May 30, 2022
Good very informative
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a retailer with 10,001+ employees
Jul 11, 2022
Analyze the wave of product at Gartner Hype Cycle. EDR was good in the past. After that, MDR joined the hype and now, XDR is the trend. Wait for more in a couple of months and (sic) know the ZDR!
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Community Spotlight #20
Hi dear community members, In this edition of PeerSpot's Community Spotlight, you can find out w...
Download Free Report
Download our free Sophos XG Report and get advice and tips from experienced pros sharing their opinions. Updated: February 2023.
686,748 professionals have used our research since 2012.