CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 16 of 16

Thread: Check Point vs Fortinet pro's and con's.

  1. #1
    Join Date
    2007-03-08
    Posts
    329
    Rep Power
    13

    Default Check Point vs Fortinet pro's and con's.

    CIO brought in some Fortinet reps for a sales pitch. And I'm asking for the pro's and con's of each. I have searched the forum and read a couple of threads that cover this topic, and I've read a few things on the Internet.
    The lastest NSS reports state that the TCO per protected-Mbps for a Check Point 13500 is $21.45 vs Fortinet's 3600C $8.30, this is what's caught my CIO's attention.
    The NSS report compares Check Point's 13500 and Fortinet's 3600C we won't be using those models so the dollar figures may be moot. But they did get his attention.

    We're probably looking at Fortinet's 500D UTM vs Check Point's 4400, specifically the model CPAP-SG4400-NGTP-HA
    I chose the SG4400-NGTP-HA because it's similar in price to the 500D UTM on a site I looked at and has the software blades that match up with Fortinet's UTM package.

    The other thing that was mentioned was Fortinet's use of their ASIC chips increasing throughput.

    About us, a long time Check Point shop, albeit a small one, a single SPLAT R75.30 open server running security and management on the one box. We'll soon be moving to an HA solution for fault tolerance, redundancy, and PCI compliance. PCI compliance has just become very important to us.

    No doubt there are some other metric's you may need that I'm forgetting.

    Thanks in advance for your time and consideration.

  2. #2
    Join Date
    2014-09-23
    Location
    Austin, TX
    Posts
    136
    Rep Power
    5

    Default Re: Check Point vs Fortinet pro's and con's.

    I've had experience with Fortinet and I'd say you can't really go wrong with either one. In your research Im sure you've checked out gartner's magic quadrant for firewalls and saw that fortinet is a strong challenger to industry leaders CP and PAN and even outranks cisco. Overall it comes down to does it meet the requirements laid out and the admins comfort level and confidence in it...and of course co$t :)

  3. #3
    Join Date
    2013-09-25
    Location
    Bucharest
    Posts
    649
    Rep Power
    6

    Default Re: Check Point vs Fortinet pro's and con's.

    I am a 7-8 years now Fortinet administrator and 2-3 years on Checkpoint.

    Fortinet does very well on:
    - SMB
    - price vs performance
    - routing, routing with VPNs, routing with load balancing, etc

    Checkpoint does very well on:
    - enterprise with its management server and smartdashboard

  4. #4
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    15

    Default Re: Check Point vs Fortinet pro's and con's.

    At your scale it doesn't really matter too much what you use. Both can meet your needs.

    Price per Mbps is interesting at a certain scale, but really it comes down to your specific needs. What would it cost to get the level of performance you need today, and what do your growth projections look like? What would be your cost to transition? (new HW, migration, training, etc). If you're doing cost comparisons, make sure you include accurate support costs. These can get glossed over, but they will make a huge difference to the amount you'll pay over 3 years.

  5. #5
    Join Date
    2007-03-08
    Posts
    329
    Rep Power
    13

    Default Re: Check Point vs Fortinet pro's and con's.

    Thanks guys. I guess I was kinda of looking\hoping\wishing for some killer argument on why we should stay with Check Point over Fortinet. (Purely selfish reasons, I've only worked with Check Point) And I have read Gardner's Magic Quadrant and the NSS Lab reports. And my CIO has too. Contacted my SE for some tips, etc. Bottom line is cost, my CIO is under pressure to reduce costs.

  6. #6
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: Check Point vs Fortinet pro's and con's.

    Fortinet's main competitive edge is price and that is the primary element they compete on. They don't have all the features of a Gartner magic quadrant leader like Check Point but will it be able to do enough to satisfy the security requirements of most customer sites? Usually the answer is yes if those requirements don't include advanced features such as threat emulation.

    Juniper/Palo Alto/Fortinet love to play up their ASIC/FPGA custom hardware vs. Check Point and while custom hardware can make performance more predictable in real-world scenarios, it is more of a philosophical difference. Check Point has thrown in their lot with Intel and their commitment to keep up with Moore's Law as they pack in more and more processing cores for less cost. Not a bad curve to hop onto via CoreXL, as opposed to the expense of developing and leveraging your own dedicated hardware. One potential downside of the CoreXL approach is that more performance tuning tends to be required because all firewall and related functions are competing for the same core resources (as opposed to being offloaded to dedicated hardware) which is why I wrote my book.

    Check Point definitely has the edge in ease of management which does reduce labor costs going forward, but those savings are difficult to quantify.
    Last edited by ShadowPeak.com; 2015-09-24 at 01:12.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  7. #7
    Join Date
    2007-03-08
    Posts
    329
    Rep Power
    13

    Default Re: Check Point vs Fortinet pro's and con's.

    Quote Originally Posted by ShadowPeak.com View Post
    Fortinet's main competitive edge is price and that is the primary element they compete on. They don't have all the features of a Gartner magic quadrant leader like Check Point but will it be able to do enough to satisfy the security requirements of most customer sites? Usually the answer is yes if those requirements don't include advanced features such as threat emulation.

    Juniper/Palo Alto/Fortinet love to play up their ASIC/FPGA custom hardware vs. Check Point and while custom hardware can make performance more predictable in real-world scenarios, it is more of a philosophical difference. Check Point has thrown in their lot with Intel and their commitment to keep up with Moore's Law as they pack in more and more processing cores for less cost. Not a bad curve to hop onto via CoreXL, as opposed to the expense of developing and leveraging your own dedicated hardware. One potential downside of the CoreXL approach is that more performance tuning tends to be required because all firewall and related functions are competing for the same core resources (as opposed to being offloaded to dedicated hardware) which is why I wrote my book.

    Check Point definitely has the edge in ease of management which does reduce labor costs going forward, but those savings are difficult to quantify.
    I think Fortinet will make the pricing very attractive and us being such a small shop not much incentive for Check Point to keep us around. And as stated earlier we can't take advantage of Check Points main strength of centrally managing multiple security gateways. By the way I've bought both yours and phoneboys books. His years ago, your about two weeks ago. I'm just getting into it. I'd been waiting a long time for something like it. You mention that all that's in your book is available in Check Point's documentation. But it's nice to have it consolidated. Over the years I've dug through and read a lot Check Point's doc's. And I don't recall seeing the Unix cmd's that you present such as in chapters 1 and 2. Today I was trying to pull out the hardware info, using dmidecode, procinfo and lshw but no joy, it's a SPLAT box says cmd not found. Wouldn't have a trick up your sleeve for that one would you?

  8. #8
    Join Date
    2006-07-28
    Location
    San Francisco, USA
    Posts
    2,494
    Rep Power
    15

    Default Re: Check Point vs Fortinet pro's and con's.

    Quote Originally Posted by Spacetrucker View Post
    Bottom line is cost, my CIO is under pressure to reduce costs.
    If cost (particularly short-term cost) is a driver, then Fortinet may well be the better option right now if you're going from a single box to an HA setup.

    Regards ASICs/FPGAs vs x86...it really depends what performance you need. If you need 100Gbps, then you need some custom HW. But if you're only doing say 200Mbps, then pretty much anything will do.

    If you've only worked with Check Point, and the boss decides to go Fortinet, don't be down about it - instead look upon it as a chance to gain some new skills. Gives you a different perspective on things, and makes you more valuable.

  9. #9
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,248
    Rep Power
    14

    Default Re: Check Point vs Fortinet pro's and con's.

    Quote Originally Posted by Spacetrucker View Post
    By the way I've bought both yours and phoneboys books. His years ago, your about two weeks ago. I'm just getting into it. I'd been waiting a long time for something like it. You mention that all that's in your book is available in Check Point's documentation. But it's nice to have it consolidated. Over the years I've dug through and read a lot Check Point's doc's. And I don't recall seeing the Unix cmd's that you present such as in chapters 1 and 2. Today I was trying to pull out the hardware info, using dmidecode, procinfo and lshw but no joy, it's a SPLAT box says cmd not found. Wouldn't have a trick up your sleeve for that one would you?
    What version of code are you running on your SPLAT system? dmidecode should definitely be there, and lshw was not in the book. procinfo is not available on Gaia but you can mess around in /proc and manually view the "files" under there to get what you need.
    --
    Second Edition of my "Max Power" Firewall Book
    Now Available at http://www.maxpowerfirewalls.com

  10. #10
    Join Date
    2007-03-08
    Posts
    329
    Rep Power
    13

    Default Re: Check Point vs Fortinet pro's and con's.

    Quote Originally Posted by northlandboy View Post
    If cost (particularly short-term cost) is a driver, then Fortinet may well be the better option right now if you're going from a single box to an HA setup.

    Regards ASICs/FPGAs vs x86...it really depends what performance you need. If you need 100Gbps, then you need some custom HW. But if you're only doing say 200Mbps, then pretty much anything will do.

    If you've only worked with Check Point, and the boss decides to go Fortinet, don't be down about it - instead look upon it as a chance to gain some new skills. Gives you a different perspective on things, and makes you more valuable.
    We've got a 100 Mbps pipe. And they do say with change comes opportunity, LOL.

  11. #11
    Join Date
    2007-03-08
    Posts
    329
    Rep Power
    13

    Default Re: Check Point vs Fortinet pro's and con's.

    Quote Originally Posted by ShadowPeak.com View Post
    What version of code are you running on your SPLAT system? dmidecode should definitely be there, and lshw was not in the book. procinfo is not available on Gaia but you can mess around in /proc and manually view the "files" under there to get what you need.
    Thanks for the feedback on dmidecode.
    I didn't look at the output carefully enough.
    dmidecode --type processor
    --type: No such file or directory

    I've got it now by piping it out to a file. dmidecode > /tmp/hardware.txt

    And I'm running R75.30.

    I manage a few Debian servers and it works on them. So I thought it was just a cmd that had been removed to harden the o/s.

    dmidecode --type processor
    # dmidecode 2.12
    SMBIOS 2.3 present.

    Handle 0x0400, DMI type 4, 40 bytes
    Processor Information
    Socket Designation: Proc 1
    Type: Central Processor
    Family: Xeon
    Manufacturer: Intel
    ID: F6 06 00 00 FF FB EB BF
    Signature: Type 0, Family 6, Model 15, Stepping 6
    Flags:

  12. #12
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Check Point vs Fortinet pro's and con's.

    Well, this should be very simple.

    Fortinet wins performance/price for small isolated security systems. It is perfect for SMB type of environment, if classic firewalling is what you need.

    Check Point wins large enterprise deployments and more advanced security requirements. Its administrative experience is also much user friendly.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  13. #13
    Join Date
    2007-03-08
    Posts
    329
    Rep Power
    13

    Default Re: Check Point vs Fortinet pro's and con's.

    Quote Originally Posted by varera View Post
    Well, this should be very simple.

    Fortinet wins performance/price for small isolated security systems. It is perfect for SMB type of environment, if classic firewalling is what you need.

    Check Point wins large enterprise deployments and more advanced security requirements. Its administrative experience is also much user friendly.
    Thanks for the feedback. Would you give me an example of a more advanced security requirement? Once I have the quotes in hand I'll get back to you on pricing. We have to factor in the cost for an onsite Fortinet engineer to do the initial setup, and migration from Check Point. Along with training so we can maintain Fortinet once it's up and running.

  14. #14
    Join Date
    2006-03-08
    Location
    Lausanne
    Posts
    1,030
    Rep Power
    15

    Default Re: Check Point vs Fortinet pro's and con's.

    you will see as soon as you get to configuring policies. comparing to CP user experience, well... brace yourselves.

    as for advanced security, FT is rather late into Application Control and Threat Prevention. also, make sure you understand what advanced security such as AVI, AC and IPS behaves under load.

    i have seen some customers migrating from CP to FT, and i would love to get your feedback in a year or so.
    -------------

    Valeri Loukine
    CCMA, CCSM, CCSI
    http://checkpoint-master-architect.blogspot.com/

  15. #15
    Join Date
    2007-03-08
    Posts
    329
    Rep Power
    13

    Default Re: Check Point vs Fortinet pro's and con's.

    Quote Originally Posted by varera View Post
    you will see as soon as you get to configuring policies. comparing to CP user experience, well... brace yourselves.

    as for advanced security, FT is rather late into Application Control and Threat Prevention. also, make sure you understand what advanced security such as AVI, AC and IPS behaves under load.

    i have seen some customers migrating from CP to FT, and i would love to get your feedback in a year or so.
    I'd love to get your feedback from your customers who have moved to FT right now, LOL. A little history here, my CIO requires a minimum of 1 preferably 2Gbps IPS throughput. We're a small shop so we started out looking at the FT 500D appliances. Our CP SE sized a 4800 for us to compete with 500D. Our CP SE also pointed out that the 500D with AV running drags performance down to 1.7Gbps according to the 500D datasheet. Fortinet said fine, don't use the 500D use the 600D, AV runs at 3Gbps, and IPS at 7Gbps. What Check Point appliance is comparable? My CIO goes to the CP appliance chart and find that the 13500 model offers 7.8Gbps. There's a bit of a difference in price. We didn't even ask for a quote on the 13500 model. We have one for the 12200 model and it's $20,000 higher than the 600D. And the 600D is $4000 more than the CP 4800. My CIO see's us getting a lot more value going with the 600D over CP 4800.

    Our CP SE has pointed out the architecture is different, that you can't compare throughput service per service, etc, you'll drive yourself crazy. But he's the one who brought up the AV metric's. So if you would have an argument for staying CP I'd need to hear it now. My CIO is back in the shop tomorrow. And this is going to be the first thing on his list.

    Thanks

  16. #16
    Join Date
    2012-08-16
    Posts
    182
    Rep Power
    7

    Default Re: Check Point vs Fortinet pro's and con's.

    Bumping this up from the dead. Did you ever make a decision to stick with Check Point or go with Fortinet? If you made the switch how is it working out for you?

Similar Threads

  1. Replies: 3
    Last Post: 2012-05-17, 20:48
  2. Immediate Need a Fortinet Analyst in LINCOLNSHIRE, IL
    By Barry J. Stiefel in forum Employment/Consulting Opportunities For Check Point Administrators
    Replies: 0
    Last Post: 2011-10-24, 21:23
  3. Check Point R67.10 VSX is now GA
    By PhoneBoy in forum Check Point Release Notifications
    Replies: 0
    Last Post: 2011-05-11, 08:34
  4. Vpn site to site with DAIP and fortinet !!!!!
    By herrmadbeef in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 2
    Last Post: 2006-08-24, 15:52

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •