Wednesday, September 1, 2021

Cisco Firepower vs Fortinet/Palo

Hey all,

I've seen a number of posts of people recommending pretty much anything over firepower, but why?

Personally I'd like to consider changing vendors, but there is pressure to stick with Cisco and roll it into an EA. We have a number of Cisco security products, and quite frankly, they seem pretty good, and the integration with one another is pretty nice. I need to refresh the hardware within the next year or so (currently have a bunch of ASAs running firepower). Also, can't get fired for buying Cisco...

I've inherited these devices and have been learning how to use them, I wouldn't say it's a happy experience, but it's not horrible. Of all the security products, I think firepower is the one that could be replaced with something better. Upgrading them to 6.6.4, it has been a little bit better from when they were running older code (one upgrade caused an outage due to firepower deciding to not advertise routes on the secondary appliance and cisco tac couldn't tell me why). I hear things are supposed to get better with 7.x, and the addition of snort 3 offering better performance.

Is anyone able to offer more details as to why other platforms are better? I need some technical reasons as to why one is better than the other (ex: Antivirus/antimalware, SSL decryption, App control, IPS, and for the OT space). There isn't a whole lot of time before the EA decision, so can't really do a PoC.

Some of my grievances so far with firepower: - No ospf bfd support - active/passive HA only - This is fine except for my datacenter. - ssl decryption performance sounds terrible - not doing it today, but looks like I'd need to get another product to handle it - like F5. - firepower doesn't detect applications running on different ports without me telling it to look there - I hear this should change with the newer snort version - I wish reporting was a little bit better with FMC. - Newer FTD devices you have to update FXOS, then firepower services... - Initial setup of a firewall is a chore.

Just an idea of the appliances that I've been getting quoted for my sites (excluding DC) since I plan on doing a lot more with the firewalls: - FTD 4112 - Fortigate 1800F

Thanks.



No comments:

Post a Comment