2015-12-28T22:12:00Z
it_user362526 - PeerSpot reviewer
User at a tech company with 51-200 employees
  • 12
  • 157

Fortinet vs Sophos? Help choose a NGFW solution that can replace Microsoft TMG.

Wanted to get some firsthand input on Fortinet vs Sophos and how seamless the transition from TMG was.

Sophos: Has anyone transitioned/migrated on to the new Sophos XG Platform (a combination of the Astaro and Cyberoam) yet, if so are all the TMG replacement technologies still present on the new platform? Are we better off sticking to the current tried and true UTM 9 offering or jump onboard to the brand-new XG Platform?

Also how is the overall effectiveness of Sophos as NGFW. The results I saw from a couple of security lab reports is a bit concerning?

Fortinet: Is a FortiWeb (appliance or VM) absolutely required on top of a FortiGate Firewall for Reverse Proxy services for OWA, SharePoint, Terminal Services Gateway, etc; Inbound/Outbound SSL Bridging & Inspection, Web Proxy, single sign on user authentication(AD integration), etc... Are there any major TMG feature gaps missing from the Fortinet’s?

How easy or difficult was the transition with the Fortinet solution? Is their tech support as bad as I’ve read on a few threads?

11
PeerSpot user
11 Answers
DP
Chairman & CEO at a tech services company with 11-50 employees
Real User
2015-12-30T09:30:03Z
Dec 30, 2015

It depends. If you don’t need to pre-authenticate your OWA/SharePoint users before they reach your server, then FortiGate on its own could do the job. But keep in mind that FortiGate is not a Reverse Proxy solution. Yes, FortiGate can do OWA and SharePoint publishing on its own (with Virtual IPs or Server Load Balancing), and it can scan that traffic with IPS/Antimalware/DLP/Web Filter/Antispam, but it cannot authenticate the users on behalf of the OWA or SharePoint. It can inspect SSL traffic, but it cannot perform SSL Offloading for these services. Also, FortiGate cannot do URL rewriting (necessary, for example, if you want to automatically redirect all clients who are accessing your OWA server from HTTP to HTTPS). So, if you are looking for a full-fledged reverse proxy solution, then a FortiWeb is required.

On the other hand, FortiGate can serve pretty well like a Web Proxy (if sized appropriately). It supports Web Caching and PAC script. It also supports SSO with AD, Novell and RADIUS, so it is a great alternative to TMG in this respect. Gaps, as mentioned, are related to Reverse Proxy functionality: External User SSO Authentication and SSL Offloading are missing.

Fortinet went a long way to replace the TMG with the FortiWeb, so the transition should not be a problem for savvy users who understand the basic principles of a WAF and know that FortiWeb is not an UTM device.

Our experience with the Fortinet tech support was almost entirely positive. Never did they tell us that something is not their issue or that some other vendor’s product is responsible for our problems – they always helped us as much as they could. For example, recently I’ve had some trouble connecting the FortiMail with an IBM StorWize storage via iSCSI. Fortinet tech support really dive into the problem, while IBM support almost immediately responded that the FortiMail is not supported as an iSCSI host, and that we should try to connect from a supported iSCSI host (Windows). Naturally, the problem was on the IBM side. And we always get the impression they are really trying to resolve the issue at hand, they’re not just referencing you to some random documentation and giving generic recommendations (like ‘restart the device’, ‘upgrade the firmware’, etc.). But, I must say that I’m talking from the Fortinet Gold Partner perspective, I don’t really have much insight on how they treat end users. Except that we had no complaints so far. Off course, this is a two-way street. You have to do your part well, and describe the problem (and diagnostic steps already performed) thoroughly, so that they are able to really help you and not waist their (and yours) time on basic diagnostics.

We have no experience with Sophos.

Search for a product comparison in Firewalls
it_user216600 - PeerSpot reviewer
Senior Technical Consultant with 51-200 employees
MSP
2015-12-29T14:11:58Z
Dec 29, 2015

I have used both Sophos and Fortinet products in production and I have found the Sophos UTM appliances (hardware and virtual) to be a better fit most of the time -- with a few caveats which I will touch on below. In both instances, the transition from TMG will be mostly straightforward. The main hang-ups will be with the VIP/load balancing and SSL. For some reason that completely escapes me, both of these vendors make getting valid certificates onto their boxes unnecessarily difficult -- the Fortinet appliances more so than the Sophos UTM appliances. At one point a Fortinet engineer had to write an entire manual on how to get an SSL certificate uploaded successfully on the 4.x firmware.

Sophos: The one feature that is missing (and this makes some amount of sense) from the Sophos appliance is BITS caching for updates. Other than that, Sophos offers a full replacement for TMG on UTM9. The XG platform also offers a replacement for the TMG; however, some of the rumblings about upcoming releases suggests that Sophos is going to give XG the Apple iOS treatment and "streamline" the interface...potentially cutting out/hiding some functionality. On the effectiveness of the NGFW, Sophos is mostly good but has a few issues blocking all pieces of an application. For instance, we had to build custom blocking rules for OpenVPN (the vpn was being used to bypass the content filter) because the default Application Control wasn't effectively blocking the application.

Fortinet: If it wasn't for Fortinet's terrible tech support we would still be deploying Fortigates exclusively. So perhaps that answers your last question right upfront. FortiWeb is not absolutely required for what you are proposing; however, the FortiWeb does make the transition from TMG much easier as the FortiWeb is purpose-built to do what you are requiring. Related, the AD-integration used with Fortinet is one of the strongest implementations we have used: The SSO agents ability to poll data from the DCs without an agent allows the use of SSO with non-Windows machines that are bound to AD, which we have used extensively at both educational institutions and shops running CentOS. Transitioning to Fortinet is relatively simple: The UI makes a lot more sense than it did in the old 4.x releases, the firewall rules are straight-forward, and the reverse proxy settings are well-documented.

it_user308598 - PeerSpot reviewer
User at a tech company with 51-200 employees
Vendor
2016-01-04T06:15:24Z
Jan 4, 2016

I missed the bit about their tech support. It really does leave a lot to be desired. Most of the issues you’re able to sort out yourself or make use of the forums available. The issues are generally the same across the board so you’ll most likely find a solution or something similar to help point you in the right direction.

it_user308598 - PeerSpot reviewer
User at a tech company with 51-200 employees
Vendor
2016-01-04T06:13:02Z
Jan 4, 2016

I don’t really know Sophos all that well so can’t comment on that particular piece of kit.

However in terms of moving from TMG and Cisco ASA to NGFW the process is quite seamless. Aside from if you’re using TMG to do URL forwarding you’ll have to do a bit of a custom jobby to get that going. The only means of doing URL forwarding is by utilising the explicit proxy feature. Not exactly the same but close enough.

The Fortigate isn’t able to host any certificates for exchange or any of the like. The only certificates that you’re able to upload on to it are the ones specifically used for ssl inspection, vpn, wifi and to prevent certificate warnings when connecting to the browser based management console.

We’ve not needed to use FortiWeb as of yet as the Fortigate covers all of the customers requirements. One thing that I can suggest is an absolute must for logging is a FortiAnalyzer. The virtual edition works very well and comes in at much lower cost.

it_user71988 - PeerSpot reviewer
Sales at Barracuda Networks
Vendor
2015-12-30T12:32:15Z
Dec 30, 2015

Try Barracuda Loadbalancer ADC. Worked for me to replace TMG at a way lower pricepoint than any NGFW.

it_user260103 - PeerSpot reviewer
Technical Writer at Sophos
Vendor
2015-12-30T07:40:35Z
Dec 30, 2015

Hi reviewer362526,

In addition to the already excellent points covered by Michael above, here are answers to your queries:

The Web Application Firewall (WAF) module running in the new Sophos XG Firewall is the same as that in Sophos UTM 9.X. Meaning, the XG Firewall inherits ALL web server protection features present in Sophos UTM. Put simply, just like Sophos UTM, the XG Firewall also offers a FULL and seamless replacement for the TMG.

About the concern Michael has raised related to the "streamlined" interface in XG Firewall that "could result in cutting out/hiding some functionality" - the new UI in XG Firewall is meant to provide quick access to all the features you need without unnecessary complexity. Rest assured, neither does the XG Firewall cut out or hide any WAF feature of Sophos UTM nor do we plan to do so :)

In fact, the XG Firewall goes a step ahead of Sophos UTM and makes the transition from TMG even smoother with its ALL NEW pre-defined WAF policy templates that let you protect common applications like Microsoft Exchange or SharePoint fast. Simply select them from a list, provide some basic information and the template takes care of the rest. It sets all the inbound/ outbound firewall rules and security settings for you automatically - displaying the final policy in a statement in plain English!

Also, check out this TMG replacement guide by Sophos:
https://www.sophos.com/products/unified/utm/tmg-replacement.aspx

Coming to your queries related to Fortinet:

1. Is a FortiWeb appliance absolutely required on top of a FortiGate Firewall...?
As mentioned by Michael, you do not necessarily need a FortiWeb appliance on top of a FortiGate unit to fulfill the requirements you cited above. Reason being, with the new FOS 5.4.0 released a week back, FortGate has caught up a lot as far as features related to protecting web servers is concerned. That said, FortiGate still doesn't have a proper WAF. It seems to be a collection of Web Application attack block by signature, maybe taken from their IPS/AppControl.

2. Are there any major TMG feature gaps missing from the Fortinet’s?
Yes, FortiGate still doesn't support following TMG features:
- Reverse Proxy
- Reverse Proxy SSL Offloading and
- Reverse Proxy Authentication

Coming back your 1st query, if you need these "must-have" TMG features, you MUST buy a FortiWeb appliance (which is priced separately) on top of a FortiGate unit!

3. Is Fortinet's tech support as bad as I’ve read on a few threads?
Again, as mentioned by Michael, Fortinet's tech support is just horrible.

Feel free to get back if you need further assistance with this :)

Learn what your peers think about Palo Alto Networks NG Firewalls. Get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
655,711 professionals have used our research since 2012.
Vendor
2015-12-30T01:23:51Z
Dec 30, 2015

Unfortunately I don’t have experienced with both Fortinet and Sophos, I would recommend the member to try out WebSense as it would cover all his/her requirements and more.

it_user337590 - PeerSpot reviewer
CTO at a tech services company
Consultant
2015-12-29T16:07:09Z
Dec 29, 2015

If you want my word on NGFW, it doesn't include Sophos nor Fortinet. Those
are "light" UTM solutions who see mostly "clean" networks even when they
are seriously compromised.

If you want to get serious, choose either Palo Alto Networks or Checkpoint
Security appliances.

Our company produce our own range of high performing IDS/IPS appliances,
which have the highest visibility. you can check them at: www.aensis.com

it_user352776 - PeerSpot reviewer
IT Division at Lais s.r.l.
Consultant
2015-12-29T14:09:27Z
Dec 29, 2015

take a loot also to this solution
https://www.stormshield.eu/francais-protection-du-reseau/network-protection/
this has a better UTM based on RFCs, Sophos is always the best for proxy features

it_user314634 - PeerSpot reviewer
CEO at a tech services company with 51-200 employees
Consultant
2015-12-29T12:05:47Z
Dec 29, 2015

There are many arguments for choosing Stonegate.

it_user181821 - PeerSpot reviewer
Security Expert at a financial services firm
Vendor
2015-12-29T12:04:30Z
Dec 29, 2015

Most definitely Fortinet been far longer involved in the firewall business
than SOPHOS better maturity and functionality.

Related Questions
Yunus Yavuz - PeerSpot reviewer
Product Manager at Neteks
Nov 10, 2022
Hi peers,  I am a Product Manager at a small computer networking company. At the moment, I am researching Check Point's products. Is Check Point's software compatible with other products (including firewall products, servers, and more)? If so, which products? Are there products that are not compatible with Check Point's software? In addition, can you provide any specific documentation that ...
See 1 answer
Larry Chisholm - PeerSpot reviewer
Network Engineer at Solvonex
Nov 10, 2022
Checkpoint is an INCREDIBLY secure, but inherently frustrating platform to manage.    The gui/cli must often be used together to effect the changes you're looking for.   Don't get me started on the gaia hardware management interface.    If you must buy it, ensure that you get support.     Personally, I'll take Fortinet, Palo Alto or even Juniper SRX over anything checkpoint.
RV
Divisional Engineer at Aptransco
Aug 18, 2022
Hi members, What kinds of throughputs should we consider while designing/estimating the required firewall throughput in our organization? Thank you.
2 out of 5 answers
Aug 16, 2022
Different vendors have a slower speed for each option you enable on their devices so overestimate the size.  Some vendors will tell you the % of slowdown but consider double the line speed to compensate for the device's slowdown.
CR
Director at REDCO
Aug 16, 2022
Usually, it is the Internet bandwidth, a number of users and (in the case of NGFW) you have to check if you are going to perform SSL filtering and application control, but lately, they are more concerned about the type of link to the Internet.  Almost all manufacturers have a link to check the size of the firewall, but unfortunately, it is for partners only. If it is possible to have more information we can make an approximation with SOPHOS or Fortinet, if you like.
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Hi dear community members, In this edition of PeerSpot's Community Spotlight, you can find out what your peers are discussing and join in the conversation. Ask and answer questions on the topics that interest you most! Read and respond to articles or contribute your own! Trending These are the topics your peers are talking about on PeerSpot this week How do I estimate the requir...
See 1 comment
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Thank you to all the community members who share their knowledge with other peers! Also, special thanks to the articles' contributors included in this Community Spotlight: @Janet Staver, @Abhirup Sarkar, @Manoj Narayanan, @Beth Safire and @Shibu Babuchandran.
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 5, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
May 30, 2022
Hi peers, This is our new bi-weekly Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members.  Articles Check the top products and solutions below (selected based on peer reviews) or contribute your own article! Top Security Orchestration Automation and Response (SOAR) Solutions Top 8 Data Loss Prevention (DL...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 11, 2022
Hi community members, As usual, this new Community Spotlight shares with you the latest articles, questions and trending discussions from your peers. Trending See what is trending at the moment and chime in to discuss! Top 8 Extended Detection and Response (XDR) Tools 2022 Would you recommend replacing Cisco ASA Firewall with Fortinet FortiGate FG 100F due to cost reasons? What is the...
See 2 comments
Ravi Suvvari - PeerSpot reviewer
Performance and Fault-tolerance Architect with 1,001-5,000 employees
May 30, 2022
Good very informative
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
Jul 11, 2022
Analyze the wave of product at Gartner Hype Cycle. EDR was good in the past. After that, MDR joined the hype and now, XDR is the trend. Wait for more in a couple of months and (sic) know the ZDR!
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Community at PeerSpot
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Community Spotlight #20
Hi dear community members, In this edition of PeerSpot's Community Spotlight, you can find out w...
Download Free Report
Download our free Palo Alto Networks NG Firewalls Report and get advice and tips from experienced pros sharing their opinions. Updated: November 2022.
DOWNLOAD NOW
655,711 professionals have used our research since 2012.