Sunday, September 15, 2013

10 big differences between the Cisco ASA and the Fortinet Fortigate

In this post we will go over some of the difference between these 2 models of firewalls.

The cisco ASA and Fortinet Fortigate


1st  The licensing model 

ASA:
Cisco has a whole gamlet of licensing that can be applied, and it can be quite confusing

Licensing is not additve ( e.g if you have 25 vpn peers and want  25 more, you have to buy a 50 vpn peer license  and can't buy a 25 peer license )

fortinet:
only has 1 or 2 license  types ( vdom and forticlients )


2: blackhole routes

ASA:
You can't do this on a ASA.   Typically one relies on the next-hop device , or just ACL'ing off  the traffic

fortigate:
Supports blackhole routes via  null-interface

3 :Cisco Context vrs Fortigate VDOM

ASA:

  • Cisco contexts are very restrictive, typically you are limited to  3-4 contexts ( except a ASA5505 no contexts available )  
  • Context in ASA don't support any remote-access vpn, and until recently no dynamic routing protocols. And then in multi context mode, your limited to just OSPF or EIGRP only (ipv4) and no dynamic routing protocols for ipv6
  • Also the context configuration files management, is awkward and confusing,  the first time that you deploy the configurations files
  •  Just the pure enabling of  the multi mode context  feature,  requires a reboot


fortigate:


  • Supports a minimum of 10 vdom ( virtual domains )
  • Vdom supports all open routing protocols  ( rip,ospf,bgp,is-is) , and not as restrictive. 
  • No reboot required for enabling vdoms
  • by default all interfaces are part of the vdom root, so enabling  vdom support does not drop any interfaces/policies or configurations if your going from a vdom-less to vdom-concept
  • one big configuration file, with no separations for the unique vdoms


4: IPv6 support

  ASA: 
  getting better, but ipv6 support is still quite new  in the ASA lineup


  fortigate: 
  been ipv6 enabled for at least 6+ years now, but we still don't have OSPFv3 authentication :(

5: Fwpolicies

ASA: 
Uses  a ACL approach for the ingress/egress interface and no other direction is requires
Cisco also eliminates duplicate  by disallowing the entry of  duplicate acl lines within a single access-list

fortigate:
Policies are built between zones to zone or interface to interface similar to juniper. Duplicates can be installed with no warning, causing issues when auditing policies


6: Intrusion detection

ASA:
  • Supports for custom rules, but not very user friendly
  • auto-updates are not as easy to allow
  • limited number of rules
  • requires some IDS engine or card and managed separately & possible license restrictions


fortigate:
  • support for custom rules
  • auto-updates pretty much every day
  • IDS protection is part of the appliance hardware ( no add-on card/module, no special licensing or restrictions )
  • Fortinet fortiguard is quite awesome and very mature and advance

7: remote-managemnt

Both unit allows for common management protocols with the fortinet allowing you to changing ssh/telnet ports and restricting access to a user. It also has a fail-login delay block, to protect from brute-force or mis-used from failed logins

8: flow data exportation

ASA:
netflow v9 , but it's not similar to netflow v9 that most  routers exports, could cause issues with certain collectors

fortigate:
sflow only ( no netflow support )


9: VPN restrictions

ASA:  
Numerous license models, this  limits the number of peers regardless of type;  clientless vrs client sslvpn , ipsec,l2tp-ipsec

fortigate: 
VPN numbers are limited only by the hardware chassis make


10: Traffic Inspection & processing

ASA:
Only traffic moving from a  lower to higher security-level , needs an acl entry ( security-level concept )



fortigate:
All traffic passing between interfaces on a fortigate, needs fwpolicy.






Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \

12 comments:

  1. It's 2015, and Fortinet has upped the ante on some of these. It is time for you to update this post. For instance there is sflow AND netflow v9 support now in FortiOS 5.2 and higher, Fortiguard updates are pushed AT LEAST once per day...

    ReplyDelete
  2. It's 2015, and Fortinet has upped the ante on some of these. It is time for you to update this post. For instance there is sflow AND netflow v9 support now in FortiOS 5.2 and higher, Fortiguard updates are pushed AT LEAST once per day...

    ReplyDelete
  3. Dude, great comparison. Someone copied word for word from your blog and using it as his own: https://www.linkedin.com/pulse/10-big-differences-between-cisco-asa-fortinet-fortigate-rahul-bhati

    ReplyDelete
  4. Wow this is needs an update.

    ASA software base licensing is only on the number of context (same as vdom) and VPN users.

    Black hole routes are there for about a year now including remotely trigger black hole routing.

    Context mode firewalls are not complex, but either way the 5505 is over 10 years old as a hardware appliance. Contexts scale up 250.

    The ipv6 support includes the ability to deny things like extension headers.

    IPS in 2013 replaced by Sourcefire product line and all the features are merging currently.

    VPN license mode is per organization limited to number of users the box can handle.

    Security levels are not required but can be used. Zones are available now and global interfaces can also have an acl.

    ReplyDelete
  5. Thanks for the reply but your not 100% correct in your explanations & the information post about cisco ASA at the time of this post was correct and most is still correct. Let's start from the top tho so we can clear up a few items....

    "ASA software base licensing is only on the number of context (same as vdom) and VPN users.
    "

    Not 100% correct license for the cisco ASA varies but you have context based license, 10gige interface license, various other features from botnet, Sourcefire, number of interface/host, content security, UCvoice,anyconnect counts, and the number of vpn peers as you mention later, than if you look at the inspection
    modules they have license. This is what was meant by license model and heavily licensed at that.

    There's way more license than what your hinting to. A fortigate has maybe 3 license that I can think of ( fortitioken, vdom counts, forticlient ) And it has been that way for many years.


    "Black hole routes are there for about a year now including remotely trigger black hole "

    Not even close to a year maybe that's new feature that has came out in the 9.2 or 9.3 train. If it's been a year than maybe... Either way it wasn't present as a feature in Sept-2013.


    "Context mode firewalls are not complex, but either way the 5505 is over 10 years old as a hardware appliance. Contexts scale up 250."

    Yes sir a ASA5505 has been out for some years in fact probably over 12+ years , but your not getting 250 contexts in a 5505 or even in any other model that I'ma ware of.

    "The ipv6 support includes the ability to deny things like extension headers."

    I laugh at that, but ipv6 is not a strong selling point in the cisco ASA firewall for either single or multi context modes. I will give credit tho that CSCO has push a lot of new ipv6 functions in the last 1-2 years, but let's be clear they are way behind in that area & when compared to the others vendors in the security sector.

    "IPS in 2013 replaced by Sourcefire product line and all the features are merging currently"

    IPS has not been fully replaced and the Sourcefire ( firepower ) is very new if maybe 2-3 years old at best and only in the "X" NGFW. It way behind when it's compared to a Fortigate or PaloAuto, but cisco is making big strides to catch up tho. IPS and subscription models concept and fortiguard has been around for many many years. Just buy a subscription license for any adv UTM function and have at. And even some adv UTM features can be used without a subscription but with the knowledge of no FortiGuard intelligence ( IPS, URL, etc....)

    "VPN license mode is per organization limited to number of users the box can handle."

    See above it's the number all "peers" to include ipsec and dialup or static defined vpn ipsec peers.

    "Security levels are not required but can be used. Zones are available now and global interfaces can also have an acl."

    Don't understand that, but SL are the main meat of the cisco ASA and zones is the nature of the cisco ASA. Global rules once again is again a new feature with limitations on how you can deploy it. The cisco is still a access rule based firewall which is the point of the whole post, no ACL== no traffic regardless if it's a interface bounded rule or global access-group but traffic from one or the same sec-zone can pass with no rule depending on that SL .

    The other firewall ( Fortigate ) needs a policy regardless of direction and interface. No fwpolicy == no traffic flow. You delete all policies will pretty much stop all traffic. ;)


    Thanks

    ReplyDelete
  6. Split into 2 because of Comment limits?

    Yeah serves me right for doing this on my iPhone. Ok let's start at the top.

    "Not 100% correct license for the cisco ASA varies but you have context based license, 10gige interface license, various other features from botnet, Sourcefire, number of interface/host, content security, UCvoice,anyconnect counts, and the number of vpn peers as you mention later, than if you look at the inspection
    modules they have license. This is what was meant by license model and heavily licensed at that.

    There's way more license than what your hinting to. A fortigate has maybe 3 license that I can think of ( fortitioken, vdom counts, forticlient ) And it has been that way for many years."

    You mention 10GB License, Context License (Vdom is the equivalent right? Which I mentioned), and Sourcefire licensing ok now we are comparing IPS but moving on, sure, and botnet traffic filter, and VPN.

    Got it. Lets look at crack at this:
    - 10GB Interface license? I believe that was an 8.2 thing, went away in 8.4 (2012?)
    - BotNet Traffic Filter (BTF, and OEM Product) more or less no one uses it (en masse) and is pretty much dead.
    - AnyConnect (SSLVPN) is now Per Enterprise Licensing (http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf). Basically you order per number of users in an enterprise it licenses the ASA's in your org (no longer tied to the head end). 2 Licenses covers all the use cases Plus and Apex, no more UC (Not used anyway) no more Phone and Mobile Separate options.
    -Firepower 4 licenses (IPS, IPS + URL, AMP+IPS, and AMP+IPS+URL). Obviously when you have a license that requires a consistent signature feed you probably should be required to license it accordingly. I believe FortiOS does require AV/IPS licenses also?

    "Yes sir a ASA5505 has been out for some years in fact probably over 12+ years , but your not getting 250 contexts in a 5505 or even in any other model that I'ma ware of."

    Ok...
    Midrange: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/data-sheet-c78-729807.html

    DataCenter: http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/index.html

    5512 = 5 up to 5555 = 50
    5585 = 250

    5512/5585 First Customer Ship 2013.

    ReplyDelete

  7. IPv6: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/inspect_basic.html

    I think 9.0 came out also in 2013/2014 time frame, we have had extension header support for a while, but we have also had 6 to 6 NAT, 4 to 6 NAT, 6 to 4 NAT, and several of our individuals do work on IPv6 WG. Its common in the industry. Not sure why it would matter but its there for a while now. (not that anyone actually uses it) although individuals shouldn't allow extension headers in the first place.

    See above it's the number all "peers" to include ipsec and dialup or static defined vpn ipsec peers.

    Right, if you have more than 250 IPSEC Peers for a Site to Site VPN, probably should dedicate a router or box for it, but ever.

    "Don't understand that, but SL are the main meat of the cisco ASA and zones is the nature of the cisco ASA. Global rules once again is again a new feature with limitations on how you can deploy it. The cisco is still a access rule based firewall which is the point of the whole post, no ACL== no traffic regardless if it's a interface bounded rule or global access-group but traffic from one or the same sec-zone can pass with no rule depending on that SL ."

    Global Rules have been in there since 8 train, not new, the meat of the SL was in the PIX (1998?) lineage. SL can be used, but honestly its been going away for a while. If individuals want to use them fine, but I think the only innovation around SL in a few years has been Zones:

    http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html

    Yes your right you delete the fw policy and have no traffic flow, but interface ACL's make more sense when trying to organize in which direction you want to actually block traffic. There are firewalls I have seen with hundreds and hundreds of ACL's going into a global kernel with the only direction being src/dst. While on the surface that seems fine, its an operational nightmare.

    But either way, CP/Forti/PAN/Cisco, I got forwarded the blog post, which I actually did like reading, but wanted to make sure you where aware that in mid september some of this could have been true, but today it needs a bit of rework.

    Kudos on the SEO bump.

    ReplyDelete
  8. OSPFv3 authentication ? there is no authentication in OSPFv3 as it is designed for IPv6 and the authentication is addressed in IPv6 header.

    ReplyDelete
  9. OSPFv3 authentication ? there is no authentication in OSPFv3 as it is designed for IPv6 and the authentication is addressed in IPv6 header.

    ReplyDelete
  10. yes I'm aware of that. We sill can't do AH in a fortigate maybe fortiOS v 5.4 support this but I haven't seen any new features releases.

    See the follow about AH and OSPFv3

    http://socpuppet.blogspot.com/2015/11/ospfv3-ah-authentication-ios-xr.html

    ReplyDelete