In this blog, I will like to list 26 differences that one might encounter between these 2 firewall appliances Palo Alto PA series and the Fortinet Fortigate.
PAN-OS has better event logging & numerous logging options. You also have multiple logging servers to add with custom syslog profiles per server. You can also deploy more custom filters for logging. PAN-OS also support tcp/udp and ssl for logging requirements which is a nice plus. The Fortiagtes are nowhere close in function and relies on a 2nd appliance fortianalyzer to even offer half of this feature.
The smaller series of the PaloAlto appliance, also has a auto or manual fan controls which is great if your in a smaller office and concerned over generating excessive noises.
Regular log export ( aka rollup ) exist within PAN-OS 7.x that helps with gathering logs from off the appliance. Your choices of protocols are scp/ftp
FortiOS has DHCPv6 support, but you have to configure this via the cli. PAN-OS has no such thing outside of DHCP for ipv4 services. IPv6 network and systems feature are growing in the PaloAlto.
FortiOS pppoe support is very good, but (pppoe) is sill missing within PaloAlto PAN-OS series and nothing on the TBD roadmap.
RBACs support under PAN-OS is light-years ahead of FortiOS. You can offer and control roles much better, and with greatly flexibility within your administrator profiles.
OPSFv3 support has been included since 6.1 and with AH/ESP security in PAN-OS lineup. FortiIOS has OSPFv3 protocol support but without security
Application awareness and controls is present in both, but PAN-OS leads the market in this area and has better and accurate user and app-identifications. Both of these are highly developed and provide drill-down insite to both the "who" and "what" is doing anything on the network. This is a selling point for PAN-OS in general ! So a infected hosted could easily be ID'd and the same for applications regards of tcp/udp port services.
Fortinet has more available models of security appliances for your security needs. PAN-OS is limited to maybe 10-12 (including virtual ) models and just recently add a manager-appliance.
PaloAlto are not cheap, and not easy to buy without going thru a dealer/re-seller and a time consuming process.
Application and Traffic monitor is so much better in PAN-OS. PaloAlto has improve this function to peel back multi-layers to provide the security admin information on what's happening under the sheets so to speak.
PaloAlto uses the juniper "commit/revert" like function that allows you to preview or peer review changes. IN the same breath we can also revert and run diff in the same fashions like JunOS. Fortinet relies on the fortimanager ( a off appliance tool ) to accomplish the same thing and yes that means more $$$$.$$
The packet capture and packet viewer is simpler in function, and with numerous verbose show levels within PAN-OS .
Reporter and exportation off the PaloAlto appliance is light-years ahead of fortinet. It's hard not to run a report and not find out what's going on & in your network.
Fortinet has better support for smaller users models. This leading issues make it a great and affordable firewall for covering the bottom and top-end users. The PA-200 is the smallest unit currently, lacks wifi, and is limited to 4 user traffic ports with 100mbits for the PaloAlto series and it comes with a bigger price tag ( $$$$ ).
PAN-OS has a superior global object find, which speeds up locating where a object are configured at. This could be a name, ip_address or just about anything. FortiOS has no such beast outside of maybe a fortimanager. The old method of the slow "show w/grep" is all that you have.
Config/Committal lock outs. This is a feature stole from the Juniper junos that PAN-OS make available in the PaloAlto series. FortiOS has nothing similar. so multiple administrators could collide and bump heads when performing configuration tasks.
Fortigate offers 1 or 2 USB port for backup interface, usb-3gmodem, local backups, etc... The PaloAlto series has a usb slot present , but currently is not available to the OS.
FortiOS has netflow and sflow, but PAN-OS is limited to just netflow and not all models support bi-directional netflow ( btw the same issues exists with cisco ASAs)
The FortiOS has support for HA within almost all models, but PAN-OS supports HA and HA-Lite on the smaller PA-200, the latter does not sync-sessions and provide a active<->standby only that 's semi-warm. ( If the active dies, all sessions dies with the active firewall )
The Palo Alto wildfire is far advance with malware detection and the in cloud threat intelligence is superior and probably 2nd to let's say Fire Eye and that's a very close 2nd.
The PaloAlto offer virtualsystems ( aka vsys ) which are like Fortigate vdoms but you can share objects within mutltiple virtualsystems. One issue within this area, not all chassis support vsys. Inter-vsys traffic controls are better handled & controlled than vdom-interlinks & the shared gateway and eliminate overhead with multiple vsys and sNAT.
Fortinet has been around for a while and IPO a few years ahead of PaloAlto, but the final stand out review, PaloAlto takes network security more seriously and more precised in identifying threats.
Fortinet support has been lacking imho. PaloAlto does so much better in ticket pickup and response.
Fortinet fortigard AV subscriptions has more dynamic updates than the Palo Alto database. You could go 2-3 days before a dynamic-update for AV is provided.
Subscriptions are better handle in PANOS but also cost more than in FortiOS. You basically have everything in PaloAlto but at a cost & with a price tag ( Virtual System , App-ID, threats, AV, wildfire,etc.. )
FortiOS vdom resource limits has more option with limits set per vdom. Vsys and vsys-limits are quite new in PANOS
PANOS Large Scale VPN allows for quick remote configurations for spoke to hub(s) design. FortiOS has no such feature.
In a nutshell, these 2 vendors but has a great firewall product & with many whistle and bells. In regard to selecting your NGFW, you need to have a goal in mind and determine what's your needs. PaloAlto is the object to watch and is a leader by all means but the price comes as heavier bill.
I could go on and on with many differences, but PAN-OS has always been weaker with network features & overall thru-put with higher latency, but it is light-years ahead of the pack in pure firewall UTM threat detection, and applications controls.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=