tag:blogger.com,1999:blog-8889285000186294932.post2680461396658467169..comments2024-03-17T02:45:18.077-07:00Comments on Ken Felix Security Blog: 10 big differences between the Cisco ASA and the Fortinet FortigateUnknownnoreply@blogger.comBlogger12125tag:blogger.com,1999:blog-8889285000186294932.post-53999177070910910612017-01-12T00:11:44.845-08:002017-01-12T00:11:44.845-08:00Hey, Thank you so much for this post. Its really h...Hey, Thank you so much for this post. Its really helpful.<br /><br /><a href="https://www.lesmeilleursvpn.com/" rel="nofollow">comparatif vpn</a><br /><a href="https://www.lesmeilleursvpn.com/guide-vpn-faq/acceder-aux-sites-bloques/regarder-tv-francaise-a-etranger/" rel="nofollow">télé française à l'étranger</a><br /><a href="https://www.lesmeilleursvpn.com/guide-vpn-faq/netflix-france-comment-acceder-a-tout-le-catalogue-mondial/" rel="nofollow">netflix film en francais</a>Stephanie10https://www.blogger.com/profile/15961161695241913915noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-59005052740845548912016-02-22T22:46:46.446-08:002016-02-22T22:46:46.446-08:00yes I'm aware of that. We sill can't do AH...yes I'm aware of that. We sill can't do AH in a fortigate maybe fortiOS v 5.4 support this but I haven't seen any new features releases.<br /><br />See the follow about AH and OSPFv3<br /><br />http://socpuppet.blogspot.com/2015/11/ospfv3-ah-authentication-ios-xr.htmlsocpuppetshttps://www.blogger.com/profile/13096043188091774607noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-90740752438575789272016-02-21T22:06:34.040-08:002016-02-21T22:06:34.040-08:00OSPFv3 authentication ? there is no authentication...OSPFv3 authentication ? there is no authentication in OSPFv3 as it is designed for IPv6 and the authentication is addressed in IPv6 header.Anonymoushttps://www.blogger.com/profile/04920623293171436975noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-2322405550488454482016-02-21T22:04:39.576-08:002016-02-21T22:04:39.576-08:00OSPFv3 authentication ? there is no authentication...OSPFv3 authentication ? there is no authentication in OSPFv3 as it is designed for IPv6 and the authentication is addressed in IPv6 header.Anonymoushttps://www.blogger.com/profile/04920623293171436975noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-42685918709024615362016-02-11T17:44:31.726-08:002016-02-11T17:44:31.726-08:00IPv6: http://www.cisco.com/c/en/us/td/docs/securit...<br />IPv6: http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/inspect_basic.html<br /><br />I think 9.0 came out also in 2013/2014 time frame, we have had extension header support for a while, but we have also had 6 to 6 NAT, 4 to 6 NAT, 6 to 4 NAT, and several of our individuals do work on IPv6 WG. Its common in the industry. Not sure why it would matter but its there for a while now. (not that anyone actually uses it) although individuals shouldn't allow extension headers in the first place. <br /><br />See above it's the number all "peers" to include ipsec and dialup or static defined vpn ipsec peers.<br /><br />Right, if you have more than 250 IPSEC Peers for a Site to Site VPN, probably should dedicate a router or box for it, but ever. <br /><br />"Don't understand that, but SL are the main meat of the cisco ASA and zones is the nature of the cisco ASA. Global rules once again is again a new feature with limitations on how you can deploy it. The cisco is still a access rule based firewall which is the point of the whole post, no ACL== no traffic regardless if it's a interface bounded rule or global access-group but traffic from one or the same sec-zone can pass with no rule depending on that SL ."<br /><br />Global Rules have been in there since 8 train, not new, the meat of the SL was in the PIX (1998?) lineage. SL can be used, but honestly its been going away for a while. If individuals want to use them fine, but I think the only innovation around SL in a few years has been Zones: <br /><br />http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/interface-zones.html<br /><br />Yes your right you delete the fw policy and have no traffic flow, but interface ACL's make more sense when trying to organize in which direction you want to actually block traffic. There are firewalls I have seen with hundreds and hundreds of ACL's going into a global kernel with the only direction being src/dst. While on the surface that seems fine, its an operational nightmare. <br /><br />But either way, CP/Forti/PAN/Cisco, I got forwarded the blog post, which I actually did like reading, but wanted to make sure you where aware that in mid september some of this could have been true, but today it needs a bit of rework.<br /><br />Kudos on the SEO bump.<br />mosesrenegadehttps://www.blogger.com/profile/13342337654928874870noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-14107139452362549752016-02-11T17:43:50.366-08:002016-02-11T17:43:50.366-08:00Split into 2 because of Comment limits?
Yeah serv...Split into 2 because of Comment limits?<br /><br />Yeah serves me right for doing this on my iPhone. Ok let's start at the top.<br /><br />"Not 100% correct license for the cisco ASA varies but you have context based license, 10gige interface license, various other features from botnet, Sourcefire, number of interface/host, content security, UCvoice,anyconnect counts, and the number of vpn peers as you mention later, than if you look at the inspection <br />modules they have license. This is what was meant by license model and heavily licensed at that.<br /><br />There's way more license than what your hinting to. A fortigate has maybe 3 license that I can think of ( fortitioken, vdom counts, forticlient ) And it has been that way for many years."<br /><br />You mention 10GB License, Context License (Vdom is the equivalent right? Which I mentioned), and Sourcefire licensing ok now we are comparing IPS but moving on, sure, and botnet traffic filter, and VPN. <br /><br />Got it. Lets look at crack at this:<br />- 10GB Interface license? I believe that was an 8.2 thing, went away in 8.4 (2012?)<br />- BotNet Traffic Filter (BTF, and OEM Product) more or less no one uses it (en masse) and is pretty much dead.<br />- AnyConnect (SSLVPN) is now Per Enterprise Licensing (http://www.cisco.com/c/dam/en/us/products/security/anyconnect-og.pdf). Basically you order per number of users in an enterprise it licenses the ASA's in your org (no longer tied to the head end). 2 Licenses covers all the use cases Plus and Apex, no more UC (Not used anyway) no more Phone and Mobile Separate options. <br />-Firepower 4 licenses (IPS, IPS + URL, AMP+IPS, and AMP+IPS+URL). Obviously when you have a license that requires a consistent signature feed you probably should be required to license it accordingly. I believe FortiOS does require AV/IPS licenses also?<br /><br />"Yes sir a ASA5505 has been out for some years in fact probably over 12+ years , but your not getting 250 contexts in a 5505 or even in any other model that I'ma ware of."<br /><br />Ok... <br />Midrange: http://www.cisco.com/c/en/us/products/collateral/security/asa-5500-x-series-next-generation-firewalls/data-sheet-c78-729807.html<br /><br />DataCenter: http://www.cisco.com/c/en/us/products/security/asa-5500-series-next-generation-firewalls/index.html<br /><br />5512 = 5 up to 5555 = 50<br />5585 = 250<br /><br />5512/5585 First Customer Ship 2013.<br />mosesrenegadehttps://www.blogger.com/profile/13342337654928874870noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-18678919765137817402016-02-11T07:48:53.132-08:002016-02-11T07:48:53.132-08:00Thanks for the reply but your not 100% correct in ...Thanks for the reply but your not 100% correct in your explanations & the information post about cisco ASA at the time of this post was correct and most is still correct. Let's start from the top tho so we can clear up a few items....<br /><br />"ASA software base licensing is only on the number of context (same as vdom) and VPN users.<br />"<br /><br />Not 100% correct license for the cisco ASA varies but you have context based license, 10gige interface license, various other features from botnet, Sourcefire, number of interface/host, content security, UCvoice,anyconnect counts, and the number of vpn peers as you mention later, than if you look at the inspection <br />modules they have license. This is what was meant by license model and heavily licensed at that.<br /><br />There's way more license than what your hinting to. A fortigate has maybe 3 license that I can think of ( fortitioken, vdom counts, forticlient ) And it has been that way for many years.<br /><br /><br />"Black hole routes are there for about a year now including remotely trigger black hole "<br /><br />Not even close to a year maybe that's new feature that has came out in the 9.2 or 9.3 train. If it's been a year than maybe... Either way it wasn't present as a feature in Sept-2013.<br /><br /><br />"Context mode firewalls are not complex, but either way the 5505 is over 10 years old as a hardware appliance. Contexts scale up 250."<br /><br />Yes sir a ASA5505 has been out for some years in fact probably over 12+ years , but your not getting 250 contexts in a 5505 or even in any other model that I'ma ware of.<br /><br />"The ipv6 support includes the ability to deny things like extension headers."<br /><br />I laugh at that, but ipv6 is not a strong selling point in the cisco ASA firewall for either single or multi context modes. I will give credit tho that CSCO has push a lot of new ipv6 functions in the last 1-2 years, but let's be clear they are way behind in that area & when compared to the others vendors in the security sector.<br /><br />"IPS in 2013 replaced by Sourcefire product line and all the features are merging currently"<br /><br />IPS has not been fully replaced and the Sourcefire ( firepower ) is very new if maybe 2-3 years old at best and only in the "X" NGFW. It way behind when it's compared to a Fortigate or PaloAuto, but cisco is making big strides to catch up tho. IPS and subscription models concept and fortiguard has been around for many many years. Just buy a subscription license for any adv UTM function and have at. And even some adv UTM features can be used without a subscription but with the knowledge of no FortiGuard intelligence ( IPS, URL, etc....)<br /><br />"VPN license mode is per organization limited to number of users the box can handle." <br /><br />See above it's the number all "peers" to include ipsec and dialup or static defined vpn ipsec peers.<br /><br />"Security levels are not required but can be used. Zones are available now and global interfaces can also have an acl."<br /><br />Don't understand that, but SL are the main meat of the cisco ASA and zones is the nature of the cisco ASA. Global rules once again is again a new feature with limitations on how you can deploy it. The cisco is still a access rule based firewall which is the point of the whole post, no ACL== no traffic regardless if it's a interface bounded rule or global access-group but traffic from one or the same sec-zone can pass with no rule depending on that SL .<br /><br />The other firewall ( Fortigate ) needs a policy regardless of direction and interface. No fwpolicy == no traffic flow. You delete all policies will pretty much stop all traffic. ;)<br /><br /><br />Thanks<br />socpuppetshttps://www.blogger.com/profile/13096043188091774607noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-70930288069878727842016-02-11T05:45:46.067-08:002016-02-11T05:45:46.067-08:00Wow this is needs an update.
ASA software base li...Wow this is needs an update.<br /><br />ASA software base licensing is only on the number of context (same as vdom) and VPN users.<br /><br />Black hole routes are there for about a year now including remotely trigger black hole routing.<br /><br />Context mode firewalls are not complex, but either way the 5505 is over 10 years old as a hardware appliance. Contexts scale up 250.<br /><br />The ipv6 support includes the ability to deny things like extension headers.<br /><br />IPS in 2013 replaced by Sourcefire product line and all the features are merging currently.<br /><br />VPN license mode is per organization limited to number of users the box can handle.<br /><br />Security levels are not required but can be used. Zones are available now and global interfaces can also have an acl.mosesrenegadehttps://www.blogger.com/profile/13342337654928874870noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-33430028715637741602015-09-15T12:22:30.542-07:002015-09-15T12:22:30.542-07:00Dude, great comparison. Someone copied word for wo...Dude, great comparison. Someone copied word for word from your blog and using it as his own: https://www.linkedin.com/pulse/10-big-differences-between-cisco-asa-fortinet-fortigate-rahul-bhati<br />spock888https://www.blogger.com/profile/00021268711015937360noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-47341293037158821282015-07-29T05:05:17.818-07:002015-07-29T05:05:17.818-07:00It's 2015, and Fortinet has upped the ante on ...It's 2015, and Fortinet has upped the ante on some of these. It is time for you to update this post. For instance there is sflow AND netflow v9 support now in FortiOS 5.2 and higher, Fortiguard updates are pushed AT LEAST once per day...Eddiehttps://www.blogger.com/profile/06650077593355599632noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-91428987330297179492015-07-29T05:04:55.656-07:002015-07-29T05:04:55.656-07:00It's 2015, and Fortinet has upped the ante on ...It's 2015, and Fortinet has upped the ante on some of these. It is time for you to update this post. For instance there is sflow AND netflow v9 support now in FortiOS 5.2 and higher, Fortiguard updates are pushed AT LEAST once per day...Eddiehttps://www.blogger.com/profile/06650077593355599632noreply@blogger.comtag:blogger.com,1999:blog-8889285000186294932.post-30141711427000648342015-02-05T13:55:36.566-08:002015-02-05T13:55:36.566-08:00GraciasGraciasAnonymoushttps://www.blogger.com/profile/11319366945567496613noreply@blogger.com