Coming October 25: PeerSpot Awards will be announced! Learn more
2016-01-28T11:29:00Z
  • 23
  • 147

Sophos XG vs Fortigate UTM

Can Sophos XG 85w handle network traffic going through Cisco switches better Than Fortigate UTM? Which one will be a better firewall for handling mobile operator network traffic going through Cisco switches?

21
PeerSpot user
21 Answers
PeerSpot user
CEO at Makros SPA
Consultant
2016-02-02T20:46:42Z
02 February 16

I had experience in both platforms, and according to the scenario that you describes both will work fine. What you need to consider is which one will give you a better support when it comes to solve doubts, and for that my experience its better with Sophos. My recommendation will be to have a certified partner that comes with you in the scenario.

PeerSpot user
Network and Security Engineer at a integrator with 51-200 employees
Vendor
2016-02-11T11:24:52Z
11 February 16

In a mobile operator network usually the main concern on Firewall is on Throughput, Concurrent Connection end New connection per Second. The other "function" as L7 protection, QoS, IPS are handled by specific appliance Proxy/Packet Shaper/Video optimizer. Even NAT sometimes is performed on Router and not on Firewall.
This is because usually the numbers of mobile operator are very high compared to a Enterprise where NGFW are usually deployed.

In a top mobile operator we got very good result with high End Juniper SRX device, thanks to predictable performance number and a very scalable architecture. You can add blade to add extra performance.

2016-02-04T08:54:03Z
04 February 16

When comparing ASIC vs Intel architectures, the biggest problem lies in the data, that vendors make available. Today Fortinet (ASIC) lists NGFW throughput, while they published only AV throughput in the past. Sophos (Intel) and Juniper (ASIC) list only AV throughput and WatchGuard (Intel) lists both. Also on the Firewall throughput side one lists small vs large packets, others list IMIX throughput, to make it difficult to compare by numbers.
When you do the math, you will find out, that Fortinet (ASIC) has an average performance drop of 92,8%, Juniper (ASIC) 89,4%, Sophos (Intel) 84,2% and WatchGuard (Intel) 67,1% (79,8% on Freescale based systems).
Possibly the Juniper and Sophos numbers should be a bit higher, because AV throughput only was used for the calculation (they don't publish NGFW/UTM throughput).
Still the numbers of WatchGuard show, that there is an advantage for the Intel platform, once UTM services get turned on. In the end it depends on the coding and solution design, if someone uses the advantages of a certain architecture to the full extent or not. WatchGuard's numbers just prove, that Sophos has plenty room to improve their code.

HF
Professioan Services Engineer at A10 Networks
Real User
2016-02-03T22:25:46Z
03 February 16

Just one comment about some people mentioning that intel vs ASIC is only important in routing / stateful packet inspection. Offloading session to ASIC is way much faster than using CPU not only for UTM features but also with IPSec / SSLVPN where encryption / decryption is offload to ASIC for better performance which is the reason why some CPU-Core processor vendors have ASIC circuit for only IPSec / SSL VPN because they know hardware encryption / decryption is faster than CPU.

2016-02-03T21:39:12Z
03 February 16

According to the listed Sophos appliance model, this seems to be a very small shop - or someone has made a wrong recommendation regarding the model.

Both vendors should not have any problems with any kind of switches. Problems could start come up, when you have to support link aggregation - but in such a small shop, that is probably not the case and a device with just 4 LAN ports isn't the optimal for such scenarios anyway.

I have seen a mentioning, that Sophos is Intel based, while Fortinet is ASIC based. This part is true - not true is assuming, that this would be an advantage for UTM services. ASIC's are great for routing and stateful packet inspection - but can not follow up Intel processors, when it comes to processing UTM services. In the specs, you will see great numbers for firewall throughput on ASIC's and quite poor performance at AV throughput - the hardest part of the UTM filtering. Opposite to that you will see lower figures for firewall throughput on Intel based systems and better specs when it comes to UTM throughput (less performance degradation).
If you selected your device based on the needed UTM throughput, the architecture - ASIC or Intel shouldn't be so important. But you may experience a price difference for appliances with the same UTM throughput, based on the architecture.

I don't know, why only Sophos and Fortinet made it to the list, since SonicWall and WatchGuard have also nice models for shops of this size.

When buying a firewall, one should consider a lot of factors. One of the most important is manageability. Everyone has his own preferences and you can't say, if one or the other brand will better fit the preferences of some user. You have to run a test, set up a demo network and see, what each of the products is the one, that you prefer to manage.

The second factor is picking the right model for the throughput you need today and in near future. If you plan to use UTM services, UTM throughput (AV+IPS+..) is the most important criteria, followed by number of supported connections and/or users/devices you plan to protect with it.

The third factor is the price. Once you found out what model you need to look at, it shouldn't be difficult to get the price for it. But you have to be very careful to read the pricing correctly. Some products come with one set of options/features/support, while another product may come with a completely different set and you have to purchase these options separately.

Juan C. Sanchez Pignalosa - PeerSpot reviewer
CEO & Co-Founder at Advisor Consulting Group
Real User
2016-02-03T14:06:18Z
03 February 16

I differ from your perspective or opinion regarding the size or the application of the Sophos Platform/Appliances. Sophos has the capability to offer Telco Industry solutions as well (they have the ability to create up to a 10 Cluster System at any model). Please do not misguide the users, since Fortinet is a direct competitor for Sophos, and both have their competences and challenges.

Find out what your peers are saying about Fortinet, Netgate, Check Point and others in Firewalls. Updated: September 2022.
634,550 professionals have used our research since 2012.
Juan C. Sanchez Pignalosa - PeerSpot reviewer
CEO & Co-Founder at Advisor Consulting Group
Real User
2016-02-03T13:52:20Z
03 February 16

You are intending to use a really small appliance, so perhaps your question (for me) seems misguided. What kind of mobile traffic are you refering to? It all depends on the expected throughput, and perhaps both systmes would work fine (all depending on your expected throughput). This is what really matter, awith the support. Sophos, without being perfect, is fa rbetter support and engineering that Fortinet. Hope this helps ;)

PeerSpot user
Managing Director at a tech services company with 501-1,000 employees
Real User
2016-02-02T21:59:36Z
02 February 16

SOPHOS XG is certainly the BEST option of the day from a cost perspective, deployment perspective & value for money. Besides you have options where you can buy on software or an appliance. But you gotta keep in mind the product is excellent only for Small & Medium business market segment.

On the other hand FORTINET has its own value & credibility with several options to choose form the features & throughput. That the more features you would like to have the higher the cost. There is a bit of complexity in configuring the appliance but it is all manageable. The high uniqueness about Fortinet is they have models from the Small SOHO users to the Telco level industry.

PeerSpot user
Assistant Buyer at a financial services firm
Vendor
2016-02-02T20:25:33Z
02 February 16

I don't think either would be the best choice at handling this type of
traffic -- they are both designed for "normal" Windows/Mac PC type
endpoints. Neither have the best agents for this kind of traffic patterns.
You might be better off with a Cisco ASA but then that will require a
pretty big expenditure to cope with the level of throughput involved.

PeerSpot user
Network Analyst at a financial services firm with 1,001-5,000 employees
Vendor
2016-02-02T17:30:59Z
02 February 16

This is a tricky question to answer. Both will technically be able to
handle it based on a 100Mb/s or 1000Gb/s interface. The Sophos Xg has a
higher specification and IPS throughput. How much network throughtput you
intend to use will need to be taken into account when you choose your
appliance. If you choose fortinet the equivalent to the Sophos Xg 85w would
be a fortigate 90D. Before choosing either I would highly recommend that
you use a traffic monitoring/profiling tool to understand what types of
traffic you are using most and this wilk pretty much sway you towards
Sophos or fortigate retrospectively. You may also want to consider other
alternatives such as Mcafee Next Gen Firewall or Dell Sonicwall how provide
alternate solutions. You also need to bear in my the cost of training and
certification in each of the products as well

PeerSpot user
IT Site Manager at a real estate/law firm
Vendor
2016-02-02T16:28:41Z
02 February 16

I don't understand the relevance of what sort of switches the traffic is
going through?

How much traffic and what are you trying to do exactly with the firewall?

PeerSpot user
Head IT Services at a healthcare company with 501-1,000 employees
Vendor
2016-02-02T16:25:54Z
02 February 16

Hi, Currently I am using a Fortigate 1000D firewall on my network and it is working perfectly. I have not used the Sophos XG so I cannot really differentiate the two devices when it comes to handling traffic from Cisco switches.

As for mobile traffic, Gartner's report places Fortigate as a leader in enterprise networks. So, I believe Fortigate should your best bet.

Regards.
Ifeanyi Ndukwe

HF
Professioan Services Engineer at A10 Networks
Real User
2016-02-02T15:47:33Z
02 February 16

Q: Can Sophos XG 85w handle network traffic going through Cisco switches better Than Fortigate UTM?

A: Both can handle traffic going through Cisco switches but it depends about the amount of traffic needs to be processed / inspected.

Sophos XG 85w is Intel-Based hardware appliance with max firewall throughput as 2000 Mbps. So, with ALL UTM features enabled on the box, the overall throughput might be less than 300 Mbps which is something you have to take in consideration when choosing between Sohpos & Fortigate. Keep in mind that Fortigate use ASIC processors hardware which capable to process traffic at near line-rate network speeds without degradation in performance.

Q: Which one will be a better firewall for handling mobile operator network traffic going through Cisco switches?

A: The largest model is XG 750 where the max firewall throughput 140,000 Mbps. According to Gartner report, Sophos is not a key player on large enterprise market such as carries, enterprise-data center and ISP due to limited processing capabilities. Fortinet offers these capabilities with its FortiGate 5000 series Chassis-based Platforms with FortiASIC processors to offer groundbreaking throughput and proven resilience.

PeerSpot user
Principal Network Engineer at a tech services company with 51-200 employees
Consultant
2016-02-02T15:06:58Z
02 February 16

1) Both should work – however there are some questions
2) Number of actual devices protected by the firewall
a. Servers
b. PCs/laptops
c. Mobile devices
d. Any other IoT devices (wearables, beacons or sensors)
3) Is the firewall the only wireless AP in the network?
4) How many subnets and/or VLAN’s are protected by the firewall?

If the number of devices is less than 50, my only concern is the WiFi capability of the devices. (in other words – how many WiFi devices are expected to be using the firewall). Once you get above 20 Wireless devices, you need to look at a stronger wireless solution vs having the firewall do everything. I have seen 50 person office have 130 devices on the network because people have phones and tablets, wearables and then there are guests that want to use the guest WiFi network.

it_user192240 - PeerSpot reviewer
Manager of Security Services at Orion Technology Services
MSP
2016-02-02T15:01:46Z
02 February 16

Your quality of throughput is going to partly depend on the number of users you have sitting behind the firewall, what type of work they'll be performing, and size of the Internet circuit. If you can answer those questions then you'll be off to a better start in making a decision. I have a few handy sizing guides somewhere, I'll need to look for them. Feel free to reach out to me and I'd be happy to show you some of the cool features the XG series has and I think I can still get a free demo version you can play with too.

Matt Grantham
770-330-3189
matt.grantham@oriontech.com

PeerSpot user
Sr Network/MIS Manager at a healthcare company with 501-1,000 employees
Vendor
2016-02-02T14:43:29Z
02 February 16

Would the Cisco Switches have an impact vs say HP or Extreme switches? I am assuming your solution has the correct size of Cisco switch for the amount of traffic you are expected to pass.

PeerSpot user
Senior Technical Consultant - Network and Security at a tech services company with 51-200 employees
Consultant
2016-02-02T14:14:58Z
02 February 16

Both the firewalls will handle the traffic very smoothly and is
inter-operable. Considering the user friendliness and ease of Operation i
will recommend fortigate. Also if we compare sophos with fortigate,
fortigate is more stable product than sophos.

PeerSpot user
Principal Network Engineer at a tech services company with 51-200 employees
Consultant
2016-02-02T13:54:34Z
02 February 16

In my experience such a question actually yields more questions in response than a simple answer.

1) Both should work – however there are some questions

2) Number of actual devices protected by the firewall

a. Servers

b. PCs/laptops

c. Mobile devices

d. Any other IoT devices (wearables, beacons or sensors)

3) Is the firewall the only wireless AP in the network?

4) How many subnets and/or VLAN’s are protected by the firewall?

If the number of devices is less than 50, my only concern is the WiFi capability of the devices. (in other words – how many WiFi devices are expected to be using the firewall). Once you get above 20 Wireless devices, you need to look at a stronger wireless solution vs having the firewall do everything. I have seen 50 person offices have 130 devices on the network because people have phones and tablets, wearables and then there are guests that want to use the guest WiFi network.

PeerSpot user
IT Infrastucture - Cloud Admin at Primary S.A.
Vendor
2016-02-02T13:22:16Z
02 February 16

I think that it will handle the traffict very well, however you didn´t specify the fortigate model.
Something that I have learnded in the hardway is the "max concurrent connection/sessions" that a firwall can handle. Your Firewall can have a very good througput but if the max concurrent connection it reached the stability of the Firewall can be compromised. There are tools like limit the simultaneus connection of a client/device to avoid reache the limit, but is better to have a Firewall with a very good amount of "max concurrent connections/sessions". For example, a DELL NSA 3600 can support 300000 simultaneous connections (depends on the configuration).

Another thing that you have to look, when chosing a new firewall, it the set of tools taht are included with the product, many of the products that are in the market have analisys tools sold separately. In other solutions, like Kerio Control, you have all-in-one solution.

One last thing, Check licenses, many times you will see a Firewall capable of 1 million of things, but the base license include 1% of that.

Please check this, i hope that this can help you:
http://www.fortinet.com/products/fortigate/unified-threat-management.html
https://www.sophos.com/en-us/products/next-gen-firewall/tech-specs.aspx

PS: Sorry for my english :)

PeerSpot user
Security Senior Network Engineer with 1,001-5,000 employees
Vendor
2016-02-02T13:17:47Z
02 February 16

Fortinet has a bettere end known tradition on Service Providers and the product from Sophos is relatively new. The question has not a complete answer if you don’t specify what Fortinet UTM model are we talking about.

PeerSpot user
Networking/Security Engineer with 51-200 employees
Vendor
2016-02-02T13:03:18Z
02 February 16

I work a lot with the equipment of Fortinet, but also know the Sophos
manufacturer.

Both Fortinet and Sophos are excellent safety equipment, very easy to work
with, manage, administer and implement.

I give support to customers who have networks with CISCO Switches that
connect with UTMs the Fortigate, and work without any problems, but you
should ensure that the porpagação of VLANs is done properly, otherwise I
think both manufacturers work well with CISCO.

The standards are used by all manufacturers.

Related Questions
RV
Divisional Engineer at Aptransco
Aug 18, 2022
Hi members, What kinds of throughputs should we consider while designing/estimating the required firewall throughput in our organization? Thank you.
2 out of 5 answers
16 August 22
Different vendors have a slower speed for each option you enable on their devices so overestimate the size.  Some vendors will tell you the % of slowdown but consider double the line speed to compensate for the device's slowdown.
CR
Director at REDCO
16 August 22
Usually, it is the Internet bandwidth, a number of users and (in the case of NGFW) you have to check if you are going to perform SSL filtering and application control, but lately, they are more concerned about the type of link to the Internet.  Almost all manufacturers have a link to check the size of the firewall, but unfortunately, it is for partners only. If it is possible to have more information we can make an approximation with SOPHOS or Fortinet, if you like.
fdiazm - PeerSpot reviewer
Product Manager at Entel Chile
Jun 22, 2022
Hi peers, At the moment, we are evaluating a solution where tunnel concentrators are going to be in virtual machines. And despite the fact where we should go in terms of technology, space, payment model and everything, this solution is something new in the company.  So, we're looking for any previous experience and advice about how to make a proper solution and which product/s to use. Please ...
2 out of 3 answers
KP
Senior Sales Manager at Fatpipe Networks Pvt Ltd
08 June 22
FatPipe Networks Inc - Hybrid Networking Connectivity.  We use our patented MPSec technology in order to provide bandwidth aggregation, redundancy, common management, compression and inbound/outbound load balancing. This solution is used by many of our customers for video conference, VoIP and data for the seamless switchover.
Frank Theilen - PeerSpot reviewer
IT Adviser/Manager with 51-200 employees
08 June 22
In my opinion, the way SD-WAN is designed, you will need multiple network endpoints or network-based concentrator hardware to handle multiple tunnels incoming.  If you host them as virtual devices, you share the underlying network hardware and therefore lose performance, not gain it. If you want to virtualize them, use several, many endpoints (not just one).
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Aug 21, 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technology products and we want your vote! If there’s a technology solution that’s really impressed you, here’s an opportunity to recognize that. It’s easy: go to the PeerSpot voting site, complete the brief voter registration form, review the list of nominees and vote. Get your colleagues to vote, too! ...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Hi dear community members, In this edition of PeerSpot's Community Spotlight, you can find out what your peers are discussing and join in the conversation. Ask and answer questions on the topics that interest you most! Read and respond to articles or contribute your own! Trending These are the topics your peers are talking about on PeerSpot this week How do I estimate the requir...
See 1 comment
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
17 August 22
Thank you to all the community members who share their knowledge with other peers! Also, special thanks to the articles' contributors included in this Community Spotlight: @Janet Staver, @Abhirup Sarkar, @Manoj Narayanan, @Beth Safire and @Shibu Babuchandran.
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 05, 2022
Dear PeerSpot community members, This is our latest Community Spotlight for YOU. Here we've summarized and selected the latest posts (professional questions, articles and discussions) contributed by PeerSpot community members.  Check them out! Trending See what your peers are discussing at the moment! What were your main pain points during the SIEM product purchase process? What...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
May 30, 2022
Hi peers, This is our new bi-weekly Community Spotlight that includes recent contributions (questions, articles and discussions) by the PeerSpot community members.  Articles Check the top products and solutions below (selected based on peer reviews) or contribute your own article! Top Security Orchestration Automation and Response (SOAR) Solutions Top 8 Data Loss Prevention (DL...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Jul 11, 2022
Hi community members, As usual, this new Community Spotlight shares with you the latest articles, questions and trending discussions from your peers. Trending See what is trending at the moment and chime in to discuss! Top 8 Extended Detection and Response (XDR) Tools 2022 Would you recommend replacing Cisco ASA Firewall with Fortinet FortiGate FG 100F due to cost reasons? What is the...
See 2 comments
Ravi Suvvari - PeerSpot reviewer
Performance and Fault-tolerance Architect with 1,001-5,000 employees
30 May 22
Good very informative
Jairo Willian Pereira - PeerSpot reviewer
Information Security Manager at a financial services firm with 5,001-10,000 employees
11 July 22
Analyze the wave of product at Gartner Hype Cycle. EDR was good in the past. After that, MDR joined the hype and now, XDR is the trend. Wait for more in a couple of months and (sic) know the ZDR!
Related Articles
Ariel Lindenfeld - PeerSpot reviewer
Director of Content at PeerSpot (formerly IT Central Station)
Aug 21, 2022
PeerSpot User's Choice Award 2022
We’re launching an annual User’s Choice Award to showcase the most popular B2B enterprise technol...
Evgeny Belenky - PeerSpot reviewer
Director of Community at PeerSpot (formerly IT Central Station)
Aug 17, 2022
Community Spotlight #20
Hi dear community members, In this edition of PeerSpot's Community Spotlight, you can find out w...
Related Categories
Download Free Report
Download our free Firewalls Report and find out what your peers are saying about Fortinet, Netgate, Check Point, and more! Updated: September 2022.
DOWNLOAD NOW
634,550 professionals have used our research since 2012.