In this blog, we will look at just some of the few differences between the Juniper SRX and the Fortinet security appliances known as he Fortigate , or a.k.a FGT thru out this blog.
Both companies has a wide range of firewall appliances, and have a strong support within the ipv4/ipv6 security arena. I ‘ve been involved with both vendor for at least 9+ years now. Fortigate hands down, has a wider range of firewalls models from the smaller SOHO office type, to the big Carrier class. They also have a wider choices of security appliances than Juniper or Cisco. This alone does NOT make them the best pick for all deployments, but could be factor in your evaluations between the 2 vendors.
In any bake off, you should weigh the complete package, from the cost per unit, port, features, post sales supports and any future requirements & integrations.
This blog is not a who is better, but more of a informational posting & from my personal experience and observations.
1: Configuration committal
What this means, the SRX supports what’s called a configuration commit method for deploying changes. This approach allows for you to deploy and stage changes, and then commit the changes at a later time if so desired.
Fortigate on the other hand, use a configuration tree and after you exit the config branch of the tree, your changes are committed. There’s no on board committal scheduler.
2: Commit rollback
Commit rollback also goes to the SRX. You can rollback to a pre existing state or previous life. Great for change management and change controls.
FGT does not have this feature, the best they have is a delay time to roll back to a previous configuration or a full config restoration which always requires a reboot.
If you want configuration change controls and rollback, you will need to invest into a Fortimanager appliance, which is another appliance & at some extra cost.
3: IPV6 support and other advance supported features
IPv6 support goes to both models, but from my experience; “ the SRX has better support for routing than the FGT”. They also incorporated more routing based features like DVMRP. And for layer security , 802.1x is also supported to some degree.
Please remember ; “Juniper is a network routing company”. So it makes for complete sense that they have taken a stronger stances on IPv6 routing support, and other routing features, when compared to Fortinet.
On the other hand , Fortinet has always supported IPv6 for ages, and have numerous other IPv6 features like DHCPv6, where as a SRX does not until just recently. Their advanced UTM & application awareness features are a plus and included within the appliance.
4: SSLVPN Support
The FGT supports SSLVPN on-appliance. The Juniper approach is to buy a 2nd appliance & just for SSL vpn terminations. This plain out sucks, but they are about making money.
5: Integral Wireless Lan Controller
The Fortigate lineup outside of the smallest FGT models, all supports some type of integral WLC & with a limited support number of APs and AP wireless tunneling. The Juniper SRX supports wireless lan controls in the larger Branch Model or their bigger appliances & with an limited AP count.
6: Integral Wifi Interfaces
This feature goes to the FGT. Fortinet has incorporated within their SOHO to the very lower-end models, some type of Wifi Interfaces. These interfaces support a wide range of SSID and multiple security authentication modes. These same models also support fixed wired ports and cost slightly more, than the wired only models. So if you need a Dlink type of autonomous AP, but within a advance firewall appliance, a Fortigate FWF model should not be over looked.
7: Unix shell access
The SRX support a unix shell. It allows for one to do a host of items such as;
- · Mount external format file systems ( thumb drives, cdrom, external-floppies, etc…. )
- · The creation & execution of administration scripts
- · Writing packet captures from the cli using stand pcap expression
- · Md5/sha256 hash utilities
- · Xml outputs
- · Simple text editors vi /vim / ed
- · Snapshot creations
- · Common Unix utilities sed, awk, grep, egrep, cut, etc….
- · The Mounting of iso or nfs mounts points
- · manpages
The FGT does not have this option, and this pretty much sucks if your like me; “ a CLI junkie J “
8: Admin port access change
This is a big one for me personally. The FGT let’s one easily change the administration access ports for both ssh, web, or telnet
( please don’t use telnet access for managing a security appliance J )
The SRX makes this task extremely hard or next to impossible, & with out hacking around the inetd configurations other parts of the firewall filter configurations.
9: MPLS termination
The SRX supports MPLS labeling with ease. I never fully recommend this for the average deployment, but if you need to terminate MPLS labels, you can do so with a SRX. The FGT lineup are not MPLS aware, and this goes back to Juniper being a routing company, and that Fortinet is a security company.
10: GRE tunnels interfaces supports
Both model support the common GRE interface. A GRE interface is treat as another interface , and allows for fwpolicies, ip address, and you can run routing protocols over these interfaces.
11: zones –based policies
A SRX security gateway uses the concept of zones only. Fwpolicies are built from one zone to another zone. Where the Fortigate uses a port-based fwpolicies. This means ; “ firewall policies are built from one port to another port ( interfaces ) “.
Keep in mind that the Fortigate does allow you to group interfaces into a common zone , and then you can write fwpolicies from a zone to another zone or a zone to another port, but this is not the normal default method
( see my earlier posting on my blog about the zones )
12: Explicit Proxy & webtraffic inspections
I wanted to stay away from UTM advance features in this SRX & FGT cook off , since the Fortigate is way superior in this area. But I wanted to speak on the differences in that the FGT has way better support for webtraffic inspection and intercepts, than what the SRX offers.
Once again within the SSLVPN support, “ in the Juniper world, you have to buy a 2nd components or add some type of license “.
They do have other application aware features like AppSecure, but this has been flaky across all platforms from my experience and is an additional cost and license to purchase. Just like with the cisco ASA, everything on a SRX seems to be a license “ buy or add-on” . The FGT appliance , is pretty much buy it, and turn on what you need.
13: ServerLoadBalancer supported VIPs
Load balancing VIPs, with multiple back-ends , is a serious plus in the Fortigate lineup. One might say; “ why not buy a server load balancer ? “ My answer to that ; “ not all load balancing requires a 2nd complex component for simple redundancy load balancing requirements”
Keep in mind the LB VIPs options in the Fortigate appliances, are very basic. Your not going to write any iRule/aRules, or do any complex responder policies in a Fortinet FGT appliance.
If you need a true SLB, buy any of well known SLB from vendors like A10 networks, ServerIron, Citrix, F5 or heck now that I think of it; “ Fortinet has a load balancer”.
But if you need a simple load balanced VIP , an with simple health checks, the FGT appliances does offer this feature in the firewall appliance.
14: Virtual Firewalls Appliances
In the last 4 years or so, Fortinet has been jumping on to VMware supported virtual firewalls bandwagon. I myself , have not been a big fan of this approach, but it’s support , available and they are making a strong stance in this area. The Fortinet sales team are pushing the virtual appliances more and more. And not just for demos.
Yeah, my favorite subject. This is a 9 letter bad word in the IT network arena, but we can’t avoid it.
The juniper SRX is based on a license model & for various features. The FGT is not for the most part . Outside of vdom supports or licensing within the virtual firewalls appliances, you have pretty much have no licenses or other restriction outside the matrix guides and limitations based on the size of the appliance.
16: WebGUI access
Both units has a WebGUI interface. The SRX interface is slowly advancing , where as the FGT interface is slicker and way more advance. As a matter of fact, they have too much stuff in the WebGUI ( imho ). So with the later Fortigate OS, you have the ability to select how much clutter you can display in the WebGUI and dashboards.
The Juniper WebGUI is also much slower than the speedier Fortigate interface ( mho ). You can easily wait 1-2 mins for a committal , and changes in the Juniper Device manager interface, and this more relevant in the smaller units.
17: The capacity for Interface Monitoring in real time
Most FGT show commands are a one time executed, and not real time by any means. The SRX allows for certain interface monitor in real time , or delayed intervals. I find this useful when working with interfaces and look for changes, while debugging or diagnostics.
18: LLDP support
Yeap , the Juniper SRX has support for LLDP & over most physical interfaces. The Fortinet FGT appliances is LLDP un aware. This can be very helpful with diagnostics and debugging interfaces & layer one or two issues.
19: ARP aging timers
The SRX support a per interface arp aging timer, where as the FGT does not as of the latest codeset from Fortinet.
20: WCCP Support
The SRX does not support WCCP. So what this means; “ your limited in the deployment options for redirection of traffic to a 3rd party webfilter/inspection engine”.
The Fortinet FGT has supported WCCPv2 for ages and it works quite well in the bigger units. I personally seen issues with it dragging it’s feet or hanging in the smaller chassis platforms, YMMV.
I hope these 20 items, helps you in your evaluation of these two superior firewall appliances.
Happy Holidays from Ken @ socpuppets.
Freelance Network / Security Engineer
kfelix ----a---t---socpuppets ---d---o---t---com
=( ^ ^ )=