Thursday, December 26, 2013

A Juniper SRX and Fortinet Fortigate comparison

In this blog,  we will look at just  some of the  few differences between the Juniper SRX and the Fortinet  security appliances known as he  Fortigate , or  a.k.a FGT thru out this blog.

Both companies has a wide range of  firewall appliances,  and have a strong support within the ipv4/ipv6 security arena. I ‘ve been involved with both vendor for at least  9+ years now.  Fortigate hands down,  has a wider range of firewalls models from the smaller SOHO office type, to the big  Carrier class. They also have a wider  choices of security appliances than Juniper or Cisco.  This alone does NOT make them the best pick for all deployments, but could be factor in your evaluations between the 2 vendors. 

In any bake off, you should weigh the complete package,  from the cost per unit, port, features, post sales supports and any future requirements & integrations.

This  blog is not a who is better, but  more of a informational posting & from my personal experience and observations.

1:  Configuration committal

What this means, the SRX supports what’s called a configuration commit method for deploying changes. This approach allows for you to deploy and stage changes, and then commit the changes  at a later time if so desired.

Fortigate on the other hand, use a configuration tree and after you  exit the config branch of the  tree, your changes are committed.  There’s no on board committal scheduler.

2: Commit rollback

Commit rollback also goes to the SRX. You can rollback to a pre existing state or  previous life.  Great for change management and change controls.

FGT does not have this feature,  the best they have is a delay time to roll back to a previous configuration or a full config restoration which always  requires a reboot.

If you want configuration change controls and rollback, you will need to invest into a Fortimanager  appliance, which is another appliance &  at some extra cost.

3: IPV6 support and other advance supported features

IPv6 support goes to both models, but from my experience; “ the SRX has better support for routing  than the FGT”. They also incorporated more routing based features like DVMRP. And for layer security , 802.1x is also supported to some degree.

Please remember ;  “Juniper is a network routing company”.  So it makes for complete sense  that they have taken a stronger stances on IPv6 routing support, and other routing features, when compared to Fortinet.

On the other hand , Fortinet has always supported IPv6 for ages, and have numerous other  IPv6 features like  DHCPv6,  where as a SRX does not until just recently. Their advanced UTM  & application awareness features are a plus and included within the  appliance.

4: SSLVPN Support

The FGT supports SSLVPN on-appliance.  The Juniper approach is to buy a 2nd appliance & just for SSL vpn terminations. This plain out sucks, but they are about making money.

5:  Integral Wireless Lan Controller

The Fortigate lineup outside of the smallest  FGT models, all  supports some type of integral WLC & with a limited support  number of APs and AP  wireless tunneling.  The Juniper SRX  supports wireless lan controls in the larger Branch Model  or  their bigger appliances & with an limited AP count.

6: Integral Wifi Interfaces

This feature goes to the FGT.  Fortinet has incorporated  within their  SOHO to the very  lower-end  models, some type of  Wifi Interfaces. These interfaces support a wide range of  SSID and  multiple security authentication modes. These same models also support fixed wired ports and cost slightly more, than the wired only models. So if you need a Dlink  type of  autonomous AP, but within a advance  firewall appliance, a Fortigate FWF model should not be over looked.

7:  Unix shell access

The  SRX support a unix shell. It allows for one to do a host of items such as;

  • ·      Mount external format file systems ( thumb drives,  cdrom, external-floppies, etc…. )
  • ·      The creation & execution of administration scripts
  • ·      Writing packet captures  from the cli  using stand pcap expression
  • ·      Md5/sha256 hash utilities
  • ·      Xml outputs
  • ·      Simple text editors vi /vim / ed
  • ·      Snapshot creations
  • ·      Common Unix  utilities  sed, awk, grep, egrep, cut, etc….
  • ·      The Mounting  of  iso or nfs mounts points
  • ·      manpages

The FGT does not have this option, and this pretty much sucks if your like me; “ a CLI junkie J 

8:  Admin port access change

This is a big one for me personally. The FGT  let’s one easily change the  administration access ports for  both ssh, web, or telnet
( please don’t use telnet  access for managing a  security appliance J )

The SRX makes this task extremely hard or next  to impossible, & with out hacking around the inetd configurations other parts of the firewall filter configurations.

9:  MPLS  termination

The SRX supports  MPLS labeling with ease. I never fully recommend this for the average deployment, but if you need to terminate MPLS labels, you can do so with a  SRX. The FGT  lineup are  not MPLS aware, and this goes back to Juniper being a routing  company, and that  Fortinet  is a  security company.

10:  GRE tunnels  interfaces supports

Both model support the common GRE interface. A GRE interface is treat as another  interface ,  and allows for  fwpolicies, ip address,  and you can run routing protocols over these interfaces.

11: zones –based policies

 A SRX security  gateway uses the concept of zones only. Fwpolicies are built from one zone to another  zone. Where the Fortigate uses a port-based  fwpolicies. This means ; “ firewall policies are built from one port to another port ( interfaces ) “.

Keep in mind that the Fortigate does allow you to group  interfaces into a common zone , and then you can write fwpolicies  from a zone to another zone or a zone to another port, but this is not the normal default method

 ( see my earlier posting on my blog about the zones )

12:  Explicit Proxy  &  webtraffic inspections

I wanted to stay away from UTM advance features in this SRX  & FGT cook off , since the  Fortigate is way superior in this area. But I wanted to speak on the differences in that the  FGT has way better support for  webtraffic inspection and intercepts,  than what the SRX offers.

Once again within the SSLVPN support,  “ in the Juniper world, you have to buy a 2nd components or add some type of license “.

They do have other application aware  features like AppSecure, but this  has been flaky across all platforms from my experience and is an additional cost and license to purchase. Just like with the cisco ASA,  everything on a SRX seems to be a license “ buy or add-on” .  The FGT appliance , is pretty much buy it, and turn  on what you need.

13:  ServerLoadBalancer supported VIPs

Load balancing VIPs,  with multiple back-ends , is  a serious plus in the Fortigate lineup. One might say; “ why not buy a server load balancer ? “  My answer to that ; “ not all load balancing requires a 2nd  complex component for simple redundancy load balancing requirements”

Keep in mind the LB VIPs options in the Fortigate appliances, are very basic.  Your not going to write any iRule/aRules,  or do any complex responder policies in a Fortinet  FGT appliance.

If you need a true SLB, buy any of  well known SLB  from vendors like A10 networks, ServerIron,  Citrix, F5 or heck now that I think  of it; “ Fortinet has a load balancer”.

But if you need a simple load balanced VIP , an with simple health checks, the  FGT appliances does offer this feature in the firewall appliance.

14: Virtual  Firewalls Appliances

In the last 4 years or so,  Fortinet has been jumping on to VMware supported virtual firewalls bandwagon.  I myself , have not been a big fan of this approach, but it’s support , available  and they are making a strong stance in this area. The Fortinet sales team are pushing the virtual appliances more and more. And not just for demos.

15: Licensing

Yeah, my favorite subject. This is a 9 letter bad word in the  IT network arena, but we can’t avoid it.

The juniper SRX is based on a  license model &  for various features. The FGT is not for the most part . Outside of  vdom supports or licensing within the virtual firewalls appliances, you have pretty much  have no licenses or other restriction outside the matrix guides and limitations based on the size of the appliance.

16: WebGUI access

Both units has a WebGUI  interface.  The SRX  interface is slowly advancing , where as the FGT interface is slicker and way more advance. As a matter of fact, they have too much stuff in the WebGUI  ( imho ). So with the later Fortigate OS, you have the ability to select how much clutter you can display in the WebGUI and dashboards.

The Juniper WebGUI is also much slower than the speedier  Fortigate interface ( mho ). You can easily wait 1-2 mins for a committal ,  and changes in the Juniper Device manager interface, and this more relevant in the smaller units.

17:  The capacity for Interface Monitoring in real time 

Most FGT show commands are a one time executed,  and not real time by any means. The SRX allows for certain  interface monitor in real time , or delayed  intervals. I find this  useful when working with interfaces and look for changes, while debugging or diagnostics.

18: LLDP support

Yeap , the Juniper SRX has support  for LLDP &  over most physical interfaces. The Fortinet FGT appliances  is  LLDP un aware. This can be very helpful with diagnostics and debugging interfaces  & layer one or two issues.

19: ARP aging timers

The SRX support a per interface arp aging  timer, where as the FGT does not as of the latest codeset from Fortinet.

20:  WCCP Support

The SRX  does not support WCCP.  So what this means; “ your limited in the deployment options for redirection of traffic to a 3rd party  webfilter/inspection engine”.

The Fortinet FGT has supported  WCCPv2  for ages  and  it works quite well in the bigger units. I personally seen issues with it dragging it’s feet or hanging in the smaller chassis platforms, YMMV.

I hope these 20 items,  helps you in your evaluation of these two superior firewall appliances.

 Happy Holidays from Ken @ socpuppets.

Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(   ^   ^  )=
       /     \

1 comment:

  1. Did you know that you can shorten your urls with Shortest and receive cash from every visitor to your shortened urls.