Solved

SonicWall NSA 220 vs Fortigate 100D - FIGHT!

Posted on 2014-09-26
6
2,281 Views
Last Modified: 2014-10-03
I am looking to replace my dated UTM device.  I local vendor is suggesting the SonicWall NSA 220 Series and CDW is suggesting a Fortinet Fortigate 100D.  

Our office consists of about 40 users with desktops.  We are a BOYD shop so I am sure that there are some cellphones, iPads and other devices hoping on and off our wireless network throughout the day.  We also have 5 outside sales guys that use a VPN to get onto our network.  

During my research I found the following (however it was a site pushing SonicWalls):
 
Some reasons why SonicWALL is better:

1. Limited Proxy – based AV Scanning FortiGates using proxy-based AV scanning have file size limitations and performance-limiting intellectual property and hardware. Files larger than the buffer are passed without being scanned or are blocked. SonicWALLs have no such file size limitations.

2. Basic Application Management – SonicWALL's running SonicOS 5.6.4 and later with Application Intelligence, Control and Visualization provide a comprehensive set of application management capabilities. FortiGates are limited to very basic allow, block and log. Also, SonicWALLs have 3x as many application signatures as FortiGates.

3. Inadequate File and Protocol Scanning – FortiGates scan only a portion of each file for malware across just 11 protocols. SonicWALLs scan the entire file over 50+ protocols.

4. Poor Distributed Wireless Functionality – FortiWiFis offer few wireless features. SonicWALLs provide many more such as Lightweight Hotspot Messaging, Wireless Guest Services and others.

5. Costly Central Management – You will need to purchase and run FortiManager and FortiAnalyzer together to get the equivalent features of SonicWALL GMS.

6. No IPv6 or ICSA Enterprise Firewall Certification – While FortiGates may support IPv6, SonicWALL NSA and E-Class NSA Series appliances are IPv6 certified. In addition, SonicWALL is the first network security vendor to receive ICSA Enterprise Firewall certification. Fortinet products have no such certification.

7. Poor Anti-Spam Options – The FortiGate email filter service is limited to three dynamically-updated techniques (IP Reputation, Message body URL check and Message body content signatures). SonicWALL Comprehensive Anti-Spam Service utilizes 3x as many techniques including those.

8. One-way Anti-Spyware Protection – FortiGates monitor only inbound traffic for spyware, not outbound. SonicWALLs monitor and block spyware in both directions.

9. Restricted 3G Availability – Only low-end FortiGates (80 Series and below) have 3G wireless WAN failover. SonicWALL includes 3G across all firewall lines.

10. Lack L2TP Server Support for Handheld Devices – FortiGates lack L2TP Server, so handhelds are unable to connect to the firewall. SonicWALLs include built-in L2TP Server.

I am VERY green when it comes to this stuff so I am turning to you for suggestions.  The Fortigate costs a bit more money but I don't have a problem with that as long as it is money well spent.  So what are your thoughts on which device that I should go with?
0
Comment
Question by:csimmons1324
6 Comments
 
LVL 6

Accepted Solution

by:
Joseph Undis earned 100 total points
ID: 40346655
While I haven't worked with many FortiGate devices, I have a few and I've found SonicWall much easier to manage in the long run and I'm actually deploying an NSA220 next week to replace an old SonicWall TZ210.

 I'm a big fan of the wireless management integration and easy GUI, but if you ever have an issue that is something you can't fix, expect hours of phone calls.

The devices and UI are the best I've used, but 20 hours of calls over 2 weeks to fix an iintermittent WiFi issue was pretty lame.
0
 
LVL 14

Assisted Solution

by:JAN PAKULA
JAN PAKULA earned 100 total points
ID: 40346949
SonicWall NSA 220 both hands - i actually have nsa 220 nsa250m and  nsa3500

yearly subscriptions are pricey with sonicwall (to get all the feature you will have to pay)

but IMHO it is money well spend
0
 
LVL 2

Assisted Solution

by:great_gentle_man
great_gentle_man earned 100 total points
ID: 40347250
Hi,

I am using Fortinet's Fortigate 100-d for multiple wan links and 60D/B with two wan ports. , with fault tolerance and load balancing.

Fortinet is market leader in its segment according gartner.

http://www.gartner.com/technology/reprints.do?id=1-1Z6XAOO&ct=140807&st=sb

about 200 users, 100 d handling every thing fine,
at the moment we are using couple of site to site vpns with multiple wan links in ft, &  nlb,
35 remote users are using ssl vpn to connect,
Internet proxy for all internal users, with logging
content filtering,
DMZ.
16gb Internal storage.
etc.etc

you can have two similar devices in high-availability mode, log analayser can also be added for logging and analysis.

If you are a windows server admin, the GUI is easy enough, although some things needs getting used to , if you are a cli person, the command prompt is very powerful, but also quite different from Cisco.

both sonicwall and fortigate are good enough, but gartner put them on top for good reason.
read the report care fully and completely as it will clear lot of questions, specially the strengths ans cautions of each vendors.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 
LVL 8

Assisted Solution

by:myramu
myramu earned 100 total points
ID: 40347804
Hello,

We are using Fortigate and no issues at all. As far as I know Fortigate is feature rich device compared to any NGFW/UTM device. The above competitive info you mentioned are from Sonicwall website and those are false now when we did POC. Fortigate supports flow based scanning as well (no file limit) and AD integration and Fortiview reporting is ultimate for our setup.

Comparison list from every vendor will be different. I recommend you to do POC and opt for best suite your needs.

Good Luck!
0
 
LVL 32

Assisted Solution

by:aleghart
aleghart earned 100 total points
ID: 40351333
I have a few SonicWalls, couple of Cisco ASA, and a single Fortigate at different sites.  Biggest advantage to the Fortigate site:  they can bandwidth limit each client.  On our Sonicwalls, we can't limit a single device to a set amount of bandwidth (say, 512Kbps or 1Mbps).  It really helps when you have dozens or hundreds of people on your guest wireless.

Sonicwalls are pretty easy to maintain by sysadmins with little firewall experience, as long as you keep up the support for the first year or two.  It really helps to have an engineer walk you through a task, or just take over and do it for you.

If you're a small shop, Sophos is giving away Astaro UTM free for small business use (small environments).  You can install on spare desktop/server hardware, or run as a VM.

I have a hardware/appliance Astaro with only limited features running.  Web interface is fairly easy to learn, like Sonicwall.  Support is highly recommended, but probably not required.  I'm thinking about re-purposing an old desktop at home and setting up my own UTM for free.
0
 

Author Closing Comment

by:csimmons1324
ID: 40359779
Thanks for all the great feedback!
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

 One of the main issues with network wires is that you never have enough.  You run plenty and plan for the worst case but you still end up needing more.  What many people do not realize is with 10BaseT and 100BaseT (but not 1000BaseT) networks you …
Occasionally, we encounter connectivity issues that appear to be isolated to cable internet service.  The issues we typically encountered were reset errors within Internet Explorer when accessing web sites or continually dropped or failing VPN conne…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now