Tuesday, November 10, 2015

PANOS and FortiOS differences by soc puppets

In this blog, I will like to list 26 differences that one might encounter between these 2 firewall appliances  Palo Alto PA series and the Fortinet Fortigate.


PAN-OS  has better event  logging & numerous logging options. You also have multiple logging servers to add with custom syslog profiles per server. You can also deploy more custom filters for logging. PAN-OS also support tcp/udp and ssl for logging requirements which is a nice plus. The Fortiagtes are nowhere close in function and relies on a 2nd appliance fortianalyzer to even offer half of this feature.


The smaller series of  the PaloAlto appliance,  also has a auto or manual fan controls which is  great  if your in a smaller office and concerned over generating excessive noises.


Regular log export ( aka rollup ) exist within  PAN-OS 7.x that helps with  gathering logs from off the appliance. Your choices of protocols are scp/ftp


FortiOS has DHCPv6 support,  but you have to configure this via the cli. PAN-OS has no such thing outside of DHCP for ipv4 services. IPv6 network and systems feature are growing in  the PaloAlto.


FortiOS pppoe support is very good, but  (pppoe) is sill missing within PaloAlto PAN-OS series and nothing on the TBD roadmap.


RBACs support under PAN-OS is light-years ahead of FortiOS. You can offer and control roles much better,  and with greatly flexibility within your administrator profiles.


OPSFv3 support has been included since  6.1 and with AH/ESP security in PAN-OS lineup. FortiIOS has OSPFv3 protocol support but without security


Application awareness and controls is present in both, but PAN-OS leads the market in this area and has better and accurate user and app-identifications.  Both of these are highly developed and provide drill-down insite to  both the "who" and  "what" is doing anything on the network. This is a selling point for PAN-OS in general ! So a infected hosted could easily be ID'd and the same for applications regards of tcp/udp port services.


Fortinet has more available  models of security appliances for your security needs. PAN-OS is limited to maybe 10-12 (including virtual  ) models and just recently add a manager-appliance.


PaloAlto are not cheap,  and not easy to buy without going thru a dealer/re-seller and a time consuming process.


Application and Traffic monitor is so much better in PAN-OS.  PaloAlto has improve this function to peel back multi-layers to provide the security admin information on what's happening under the sheets so to speak.


PaloAlto uses the juniper  "commit/revert"  like function that allows you to preview or peer review changes. IN the same breath we can also revert and run diff in the same fashions like JunOS. Fortinet relies on the fortimanager ( a off appliance tool ) to accomplish the same thing and yes that means more $$$$.$$


The packet capture and packet viewer is simpler in function,  and with numerous verbose show levels within PAN-OS .


Reporter and exportation off the PaloAlto appliance is light-years ahead of fortinet. It's hard not to run a report and not find out what's going on &  in your network.


Fortinet has better support for smaller users models. This leading issues make it a great and affordable firewall  for covering  the bottom and top-end users. The PA-200 is the smallest unit currently, lacks wifi, and is limited to 4 user traffic ports with 100mbits for the PaloAlto series and it comes with a bigger price tag ( $$$$ ).


PAN-OS  has a superior global object find, which speeds up locating where a object are configured at. This could be a name, ip_address or just about anything. FortiOS has no such beast outside of maybe a fortimanager. The old method of  the slow "show w/grep" is all that you have.


Config/Committal lock outs. This is a feature stole from the Juniper junos that PAN-OS make available in the  PaloAlto series. FortiOS has nothing similar. so multiple administrators could collide and bump heads when performing configuration tasks.


Fortigate offers 1 or 2 USB port for backup interface, usb-3gmodem, local backups, etc... The PaloAlto series has a usb slot present , but currently is not available to the OS.


FortiOS has netflow and sflow, but PAN-OS is limited to just netflow and not all models support bi-directional netflow ( btw the same issues exists with cisco ASAs)


The FortiOS has support for HA within almost all models, but PAN-OS supports HA and HA-Lite on the smaller PA-200, the latter does not sync-sessions and provide a active<->standby only that 's semi-warm. ( If the active dies, all sessions dies with the active firewall )


The Palo Alto wildfire is far advance with  malware detection and the in cloud threat intelligence is superior and probably 2nd to let's say Fire Eye and that's a very close 2nd.


The PaloAlto offer  virtualsystems ( aka vsys )  which are like  Fortigate vdoms but you can share objects within mutltiple virtualsystems.  One issue within this area, not all chassis support vsys. Inter-vsys traffic controls are better handled & controlled than vdom-interlinks  & the shared gateway and eliminate overhead with multiple vsys and sNAT.


Fortinet has been around for a while and IPO a few years ahead of PaloAlto, but the final stand out review, PaloAlto takes network security more seriously and more precised in identifying threats.


Fortinet support has been lacking imho. PaloAlto does so much better in ticket pickup and response.


Fortinet fortigard AV subscriptions has more dynamic updates than the Palo Alto database. You could go 2-3 days before a dynamic-update for AV is provided.


Subscriptions are better handle in  PANOS but also cost more than in FortiOS. You basically have everything in PaloAlto but at a cost & with a price tag ( Virtual System , App-ID, threats, AV, wildfire,etc.. )


FortiOS vdom resource limits has more option with  limits set per vdom. Vsys and vsys-limits are quite new in PANOS


PANOS  Large Scale VPN allows for quick remote configurations for  spoke to hub(s) design. FortiOS has no such feature.

In a nutshell, these 2 vendors but has a great firewall product & with many whistle and bells. In regard to selecting your NGFW, you need to have a goal in mind and determine what's your needs. PaloAlto is the object to watch and is a leader by all means but the price comes as heavier bill.

I could go on and on with  many differences, but PAN-OS has always been weaker with network features & overall thru-put  with higher latency,  but it is light-years ahead of the pack in pure firewall UTM threat detection, and applications controls.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \


  1. Thanks for publishing this, I've worked with Palo Alto firewalls previously but now work exclusively with Fortigates so this was a good read.

  2. Palo Alto has some cool features and app-id and user enumeration are 2 of the biggest plus. FTNT has application controls but it' not as accurate from my own experience but it's not bad either.

    Please read the analysis that FTNT has done, but TCO and best bang for the buck still leads back to fortinet


  3. Very interesting read, even if I don't agree with everything 100%. :-)

    Might be worth looking into doing an updated version of this, as many changes have come with the releases of PANOS 7.0 and FortiOS 5.4.

  4. One interesting difference (and normally not well published) is how the device behaves after a session timeout: could send rst packets? how granular is this configuration: per policy, per zone, per device?... It matters in case crappy applications for network exceptions treatment. And fortios and panos have a very different behaviour about this subject.

  5. Why would you want a firewall to send a reset for a session timeout would be my 1st question?

    Noting in the default allows for sending a reset for TCP traffic by a fwpolicy for a FortiGate appliance.

    PANOS on the other has actions for this which could be a good or bad thing or generate a lot of noise. These action are used within AV/MAL other features per-policy.

    As far as granular , you probably have way more with in PANOS. Since you have more items within a security-policy (PANOS) vrs a FortiGate ( fwpolicy).

    Now as you apply more UTM features in security profile, you have extra items to give you control and inspection with regards to FortiOS.

    PALO for example allows various ssh inspection, app, nat-control,user,etc...

    But to the same degree with have all of the above in FortIOS per-policy also


    panos even go farther to set various "action" types on the security-policy, and security-policy that are universal or interzone,etc ..... This level of granularity does NOT exist in FortIOS 5.2.x or even 5.4.x, but than again the PANOS is a true zone-based firewall similar to JuniperSRX.

    Even how PANOS and FortiOS handle tcp-session generate data in the sessions-table on tcp-session that never establish is different.

    Forties allows for session-timeout that not settable per-policy "syn_ses" . PanOS you have more configurable items of global tcp session timeout, handshake,fin,resets or discards. This could be considered a Big Plus imho.


  6. But this is dependent on a accept action only and the ttl expiration. Just thought I would throw that out.


  7. I've been using AVG Anti virus for many years, I recommend this product to all of you.