Palo Alto vs. Fortinet in a Next-Generation Firewall Comparison
The next-generation firewall is a crucial security product for enterprise and large-scale networks. A next-generation firewall (NGFW) provides capabilities beyond that of a stateful network firewall. Today, we put two leaders up against each other in comparison. Distinguish which firewall you could see in your data center tomorrow.
While a stateful firewall is a network security device that filters incoming and outgoing network traffic based upon Internet Protocol (IP) port and IP addresses, a next-generation firewall adds additional features such as application control, intrusion prevention (IPS), URL filtering, and often more advanced threat prevention capabilities like sandboxing.
Palo Alto Network and Fortinet both have next-generation firewalls (NGFWs), and those are the top vendor. Both of them have almost all next-generation firewall features. There are some key differences between these two. In this article, we will dive into the pros and cons based on their technology, give an overview of their hardware options, and take a look at architecture and supported features.
Laying the Foundation with Palo Alto
Palo Alto is a 9-time Gartner leader in the Magic Quadrant and has both Physical and VM series firewalls. Their ML-Powered NGFWs are designed for simplicity, automation, integration, and VM-Series Virtual NGFWs flexibly scale to secure deployments in public clouds, private clouds, and SDN environments.
Physical Platforms
The PA-220, PA-800, PA-3200 Series, and PA-5200 Series are next-generation hardware while the PA-7050 and PA-7080 are chassis architecture.
With the release of PAN-OS 9.0, a new K2-series firewall was introduced. The K2-series firewall is a 5G-ready firewall designed for service provider mobile network deployments with 5G and internet of things (or IoT) security requirements.
The operating system is consistent across all hardware platforms, so the look and feel of the web-based management interfaces are the same.
VM Series
The VM-Series firewall can be deployed either on-premises or in a public cloud. A VM-Series firewall can be deployed on either the Alibaba Cloud, Amazon Web Services, Google Cloud Platform, Microsoft Azure, or Oracle Cloud to protect cloud perimeter and east-west traffic. All VM-Series firewalls use a unified licensing system that is platform-agnostic. For example, a VM-100 perpetual license can license a VM running on Hyper-V or in AWS.
How Fortinet Matches
Most FortiGate models have specialized acceleration hardware (called Security Processing Units (SPUs)) that can offload resource-intensive processing from main processing (CPU) resources. Most FortiGate units include specialized content processors (CPs) that accelerate a wide range of essential security processes such as virus scanning, attack detection, encryption, and decryption. (Only selected entry-level FortiGate models do not include a CP processor.) Many FortiGate models also contain security processors (SPs) that accelerate processing for specific security features such as IPS and network processors (NPs) that offload processing of high-volume network traffic.
FortiGate-VM NGFW can be deployed as a virtual appliance in a virtual environment and private, public cloud environments, either as a BYOL instance or provisioned on-demand via public cloud marketplaces.
VM-Series Models and Capacities
Example Performance and Capabilities |
Throughput |
vCPU |
RAM (up to) |
Concurrent Sessions |
FortiGate-VM00 |
12Gbps |
1 x vCPU core |
2GB |
N/A |
FortiGate-VM01, -VM01V |
12Gbps |
1 x vCPU core |
2GB |
1,000,000 |
FortiGate-VM02, -VM02V |
15Gbps |
2 x vCPU cores |
6GB |
2,600,000 |
FortiGate-VM04, -VM04V |
28Gbps |
4 x vCPU cores |
6GB |
4,300,000 |
FortiGate-VM08, -VM08V |
33Gbps |
8 x vCPU cores |
12GB |
8,500,000 |
FortiGate-VM16, -VM16V |
36Gbps |
16 x vCPU cores |
24GB |
10,000,000 |
FortiGate-VM32, -VM32V |
50Gbps |
32 x vCPU cores |
48GB |
15,000,000 |
FortiGate-VMUL, -VMULV |
N/A |
Unlimited |
Unlimited |
N/A |
Hardware Options For You
It's important to compare firewalls from both Palo Alto and Fortinet. Here at PivIT, we know the importance doesn't stop with the device itself. It stretches to what is available today, financing options, and more. We make it easy for you to find the hardware to build your network on your terms.
Building Your NGFW Architecture
With Palo Alto
The Palo Alto Networks firewall enables to specify of Security policy rules based on more accurate identification of each application seeking access to a network. It is unlike legacy firewalls that identify applications only by protocol and port number. It uses packet inspection and a library of application signatures to distinguish between applications with the same protocol and port and identify potentially malicious applications that use non-standard ports.
The strength of the Palo Alto Networks firewall is its single-pass parallel processing (SP3) engine. Each current protection feature in the device (antivirus, anti-spyware, data filtering, and vulnerability protection) uses the same stream-based signature format. As a result, the SP3 engine can search for all these risks simultaneously.
The advantage of providing a stream-based engine is that the traffic is scanned with a minimal amount of buffering as it traverses the firewall. This speed enables to configure advanced features, such as scanning for viruses and malware, without slowing the firewall's performance.
Palo Alto Networks has processors dedicated to specific security functions that work in parallel. These components can be implemented in hardware or software. On the higher-end hardware models, the data plane contains three types of processors that are connected by high-speed 1Gbps busses:
- Signature Match Processor scans traffic and detects:
- Vulnerability exploits (Intrusion Protection System)
- Viruses
- Spyware
- Credit card numbers
- Social Security numbers
- Security Processors: Multicore processors that handle security tasks such as Secure Sockets Layer decryption
- Network Processor: Responsible for routing, network address translation, and network-layer communication
On the higher-end hardware models, the control plane has its own dual-core processor, RAM, and hard drive. This processor is responsible for tasks such as management UI, logging, and route updates.
Building with Fortinet
Fortinet FortiGate Next-Generation Firewalls simplify security complexity and provide visibility into applications, networks, and users. They purpose-built security processing units (SPUs) and threat-intelligence services from FortiGuard labs to deliver top-rated security and high-performance threat protection (e.g., web filtering, intrusion prevention [IPS], application control, anti-malware) for known attacks.
As part of the broader Fortinet Security Fabric architecture, FortiGate NGFW leverage automated, policy-based responses to accelerate time to resolution. When a FortiGate NGFW detects an event, it communicates with the Security Fabric, which determines what information will be shared across the enterprise. For example, when malware is seen in one part of the organization, the Security Fabric shares threat intelligence with the rest of the enterprise IT infrastructure.
In another instance, when a security policy is created for one security solution, the Security Fabric can contextually apply that same policy across other security solutions in the architecture for consistent and coordinated control. FortiGate NGFW enables full visibility into the entire attack surface, including all network segments and encrypted network flows.
Having complete visibility is the key to detect unsanctioned applications and hidden threats and manage external risks. FortiGate NGFW can also manage internal risks by detecting, segmenting, isolating, and preventing lateral propagation of threats. FortiGate NGFW can also adapt to any type of segmentation, including micro-segmentation and macro segmentation, and provide advanced Layer 7 security to enable defense in depth.
Sandboxing Before You Build
Both of the firewall vendors have cloud sandboxing solutions for unknown threats. Palo Alto using wildfire cloud and Fortinet using Fortisandbox cloud.
- FortiSandbox had signature coverage for most initial payload samples, but it falls short in C2 analysis, which provides attackers a window of opportunity. However, Palo Alto is more secure in this case.
- FortiSandbox Cloud does not have a custom hypervisor, nor does not support bare metal analysis. WildFire provides both.
- The FortiSandbox database is entirely hash-based. Adding a single byte to the end of a known malicious file and repeating the transfer will cause the modified file not to be blocked.
Device Management
Palo Alto's NGFWs can be configured with on-box management or a central management appliance (Panorama). Panorama has physical and virtual appliances for managing multiple firewalls from a single management console.
Fortinet's NGFWs also can be configured using both on-box management and central management (FortiManager). FortiManager also has physical and virtual appliances for automating device provisioning & maintaining policies.
Device management stretches across your full data center network. Both OneCall and EXTEND have services to help manage your devices. OneCall has a maintenance ticket and contract management platform while EXTEND has field services to help manage your assets across your full data center network. Get in touch today to chat more about device management.