Your Best Security System: Cisco ASA vs. Fortinet FortiGate
by Darin Knobbe, on Jun 18, 2020 12:30:00 PM
Network security is becoming more important each day through application security, network access control, internal use management, and more. With your firewalls being the initial gateway between external and internal networks, it is necessary to have the leading infrastructure in your network. Next Generation Firewalls (NGFW) provide you with better throughput, enhanced performance, seamless security, and simple configuration and management. Today, we highlight the Cisco ASA NGFW and Fortinet FortiGate NGFW. You'll see one clearly outweighs the other on a performance and cost basis. We also walk through 10 specific features you should consider when choosing your next firewall!
Advanced routing capabilities (RIP, OSPF, BGP, and PBR) give you a seamless and simple integration into a large network. FortiGate Secure SD-WAN includes best-of-breed next-generation firewall security, SD-WAN, advanced routing, and WAN optimization capabilities that deliver a security-driven networking WAN edge transformation. The CLI is robust and powerful, enabling rapid and consistent changes via SSH. The device identification is flexible, facilitating the creation of rules to regulate all sorts of devices that might spring up on a network, especially via Wi-Fi. The IPsec tunnels are easily created and interoperable with devices from various OEMs.
The most valuable features focus on the optimization of security on networks protecting from external threats. With the security features of the FortiGate series you can categorize users creating groups that can access various network limits. Detailed reporting and analytics come from this that are comprised of information from specific events on the network by traffic location, device, IP address, and more. Virtual Domain (VDOM) is another value that allows customers to have multiple firewalls in a single campus.
Matching the FortiGate With ASA
Most users don't have awareness of the ASA functionality and features, making it complicated to operate. Those turning to the ASA tend to look for a one-product, one-box solution and have trouble finding it. Below, we look at configuration features and web censoring for both firewalls. We've often heard the ASA product line needs a quicker operating system, cleaner interface, more detailed reporting structure, better throughput, and more. Both Cisco ASA and Fortinet FortiGate security provide comprehensive visibility and advanced layer 7 security, threat protection, intrusion prevention, web filtering, and application control.
|Throughput Range||Up to 320Gbps||17Gbps - 1Tbps|
|Concurrent Connections||Up to 60M||Up to 320M|
|IPsec VPN Throughput||Up to 51Gbps||Up to 160Gbps|
Here we share 10 specific features that put the ASA side-by-side with FortiGate from Fortinet.
- ASA: Cisco has an extensive line-up of licensing models that can be applied, and it can be confusing. Licensing does not add as you go though (e.g if you have 25 VPN peers and want 25 more, you have to purchase a new license for 50 VPN rather than adding 25)
- FortiGate: Is straightforward with 2 licensing types, namely, VDOM and FortiClients
2. Blackhole Routes
- ASA: Blackhole routes are available via null0 routing.
- FortiGate: Blackhole routes are supported via null-interface
3. Cisco Context vs. FortiGate VDOM
- ASA Context: Highly restrictive and limited to 3-4 contexts. The ASA 5505 has 0 available. Context in ASA doesn’t support any remote-access VPNs or dynamic routing protocols, though, in multi-context mode you have access to OSPF or EIGRP (IPv4).
- FortiGate VDOM: A minimum of 10 virtual domains (VDOM) are supported with all open routing protocols (RIP, OSPF, BGP). To save time, there is no reboot required for enabling VDOMs. By default, all interfaces are part of the VDOM root, so enabling VDOM support doesn’t drop any interfaces, policies, or configurations. If you’re going from VDOM-less to VDOM-concept, all you need is one configuration file with no separations for the unique VDOMs.
4. IPv6 Support
- ASA: New to the line-up with updates needed to the system.
- FortiGate: IPv6 is enabled and with FortiOS 6.2.0, OSPFv3 Authentication is supported.
5. FW Policies
- ASA: An ACL is used to approach for the ingress/egress interface with no other direction. Cisco eliminates duplicating by disallowing the entry of duplicate ACL lines with a single access-list.
- FortiGate: Policies are built between ‘zone-to-zone’ or interface-to-interface’, similar to Juniper. Duplicates can be installed with no warning. This has caused issues when auditing policies as the record is hard to find/monitor.
6. Intrusion Detection
- ASA: Supports custom rules, but not user-friendly as there is a limited number of rules. The ASA requires some IDS engine or card that is managed separately with license restrictions.
- FortiGate: Supports custom rules as well. A highlight is that it auto-updates almost every day. IDS protection is part of the appliance hardware with no add-on card/module or special licensing.
7. Remote Management
Both units allow for common management protocols. The Fortinet FortiGate allows you to change SSH/Telnet ports and restricts access to a specific user. A fail-login delay block protects from brute-force or misuse from failed logins.
8. Flow Data Exportation
- ASA: Netflow v9, yet issues arise with certain collectors other than most router exports.
- FortiGate: Sflow and Netflow are supported with FortiOS 5.2 and higher.
9. VPN Restrictions
- ASA: Numerous licensing models limiting the number of peers regardless of type, namely, clientless VRS, client SSL VPN, IPsec, and l2tp-IPsec.
- FortiGate: Check out the hardware chassis model to varify VPN numbers, some may be limited.
10. Traffic Inspection and Processing
- ASA: Only traffic moving from a lower to higher security level needs an ACL entry
- FortiGate: All traffic passing between interfaces needs and FW Policy
Choosing the Better Security
We've lined-up the ASA from Cisco and FortiGate from Fortinet. The comparison shows Fortinet produces more capacity and a higher performance firewall. This sets the bar high and the same impressive capacity and high performance is withheld as you move down to the mid-range firewalls. Even entry-level firewalls prove to be superior between the two brands for Fortinet. Look to PivIT to supply your network with Fortinet NGFW firewalls and their FortiGate series.
More About PivIT
Here at PivIT Global we want to help you find the right infrastructure to best set your business up for success. We have a team ready to answer any questions or to chat more on the FortiGate Firewalls to suit your needs! Need to get in touch quicker than a phone call? No worries, leave a quick comment below.
Updated: February 19, 2021