Fortinet vs Palo Alto Networks (SD WAN & Cybersecurity)
Table of Contents
What are the main differences between Fortinet vs Palo Alto Networks?
Palo Alto Networks offers comprehensive and innovative security solutions. Their products are designed to protect your organisation from a wide range of online threats, including malware, ransomware and phishing attacks. Fortinet is a cybersecurity company that provides products and services to protect networks, devices and data from cyberattacks. Fortinet’s products include firewalls, antivirus software, intrusion detection systems, and other security solutions.
In addition to their exceptional product lineup, Palo Alto Networks also provides expert threat intelligence and 24/7 support services to help keep you protected against the latest threats. Fortinet offers a range of services, including consulting, education, and managed security services. Fortinet has been recognised as a leader in the cybersecurity industry for its innovative products and services.
Fortinet vs Palo Alto Networks – Summary
Perhaps the two largest and most influential companies in IT network security not named Cisco, whose horizontally integrated product line is in a class by itself, are Fortinet and Palo Alto Networks. Furthermore, the two companies openly acknowledge and treat each other as competitors, with Fortinet going so far as to show financial comparisons with Palo Alto at its latest Investor Presentation. Although Palo Alto is about 36 per cent larger by revenue, as the chart below illustrates, Fortinet is growing just as fast (both with 20+ percent annual revenue increases) and has consistently been profitable while Palo Alto continues to burn cash on acquisitions, expansions and product development, losing almost $500 million over the past twelve months.
Fortinet and Palo Alto Networks started by concentrating on very different markets — Fortinet on SMBs and SOHO users needing easily deployed and managed appliances and Palo Alto on enterprises and service providers requiring highly performant and scalable next-generation firewalls. However, in the last few years and particularly since the initial Covid restrictions, their paths have crossed as organisations needed security solutions to address an explosion in the number of remote workers and usage of cloud services.
- Fortinet Management Interface
For example, Palo Alto expanded into the Work-From-Home (WFH) market with the Okyo Garde appliance that combines a Wi-Fi 6, mesh-enabled AP with Palo Alto’s firewall technology to protect against intrusions, malware and phishing attacks. Conversely, Fortinet attacked Palo Alto’s strength in data centre firewalls with the FortiGate 4200F that uses the company’s proprietary seventh-generation NP7 security processor to deliver what the company claims is 5 to 15 times better performance than comparable products from Palo Alto, Check Point, Cisco and Juniper.
As we compare these two companies, note that there are many ways to categorise enterprise security products, made more difficult since there has been significant industry consolidation with every network security company grouping their products in different ways. For example, Palo Alto breaks its offerings into:
- Network security (traditional hardware and virtual firewalls and traffic inspection products).
- Cloud security (virtual security software run on cloud instances or containers and designed for VPC networks).
- Security operations software (data logging, analysis, task automation and forensics).
- Edge security using SASE services and Zero-Trust Access (ZTA) controls.
Fortinet uses similar categories with a few additions, but also slices products by customer segment into enterprise, SMB and service provider offerings. Here, we tweak these groupings and compare the two companies in three areas: Core enterprise networking and cloud-SaaS security products, notably SASE and various consulting services.
- Forticlient For Security-as-a-Service and Network-as-a-Service
Fortinet vs Palo Alto Networks – Core enterprise networking products
Core enterprise networking products
The heart of both companies’ enterprise products are next-generation firewalls available as both integrated appliances and modular chassis. The following table summarises these network security products.
Fortinet
- Chassis based: FortiGate 5000 and 7000 series
- High-end: FortiGate 2000, 3000 and 4000 series
- Mid-range: FortiGate 100F, 200F, 400E, 600E, 900D
- Entry-level: FortiGate 30E – 80F (8 models)
- Virtual firewall: FortiGate-VM (models supporting 1, 2, 4, 8, 16, 32 and unlimited vCPUs with throughput form 12 Gbps to greater than 50 Gbps depending on hardware)
Cloud/VM environments
Hypervisors
- VMware
- Nutanix
- OpenStack/KVM
Orchestration systems
- VMware NSX-T, Nuage, OpenStack
Container support
- FortiGate cloud connector supports container labels when defining security policies
OS
FortiOS that integrates with the Fortinet Security Fabric to deliver a variety of security functions, operational controls and third-party services. Uses custom NP7 and SoC4 security processors to accelerate firewall, VPN and IPS performance.
Palo Alto Networks
- Chassis based: PA-7000 and PA-5450 series
- High-end: PA-5200
- Mid-range: PA-3200
- Entry-level: PA-220, -400, -800 series
- Virtual firewall: VM-series (-50 to -700 supporting from 200 Mbps to 16 Gbps App-ID-enabled firewall performance)
Cloud/VM environments
- AWS
- Azure, AzureStack
- Google Cloud
- Oracle Cloud
- Alibaba Cloud
- VMware vCloud on AWS, private cloud (NSX, ESXi, Hyper-V, OpenStack)
Container support
- CN-series product for Kubernetes environments supports open source Kubernetes and AWS EKS, Azure AKS, Google Cloud GKE and Red Hat Openshift managed services.
OS
PAN-OS provides L7 visibility and control over network traffic and supports redundant HA environments. On top of traditional NGFW features, it includes inline ML analysis and protection, support for third-party IPS signatures, integrated IoT security and SD-WAN metrics. Uses multi-core CPU design that varies by model, although Palo Alto Networks does not provide details about the internal architecture.
Fortinet vs Palo Alto Networks – SD WAN deployment options
- Best Practices for Successful SD-WAN Deployment
SD WAN deployment options
Both companies also offer several ways to deploy SD-WAN including as part of edge hardware (for branch and WFH locations), virtual appliances (for enterprise data centres and multi-cloud fabrics) and as a managed service provider either solely by the company (Palo Alto) or in partnership with a NaaS provider (Fortinet-Megaport solution). The following table outlines each company’s SD-WAN options.
Fortinet
- Edge hardware: FortiGate 40F, 60F, 80F, 100F, 200F each with unrestricted WAN bandwidth and IPSec VPN throughput from 4.4 Gbps to 13 Gbps
- Wireless support via the FortiExtender 5G/LTE appliance which supports up to two SIMs and two wireless modems for a total of four wireless connections to a FortiGate firewall and SD-WAN network.
- Cloud virtual appliance: Fortinet Secure SD-WAN for Multi-Cloud
- Managed Service: Fortinet Secure SD-WAN and Megaport Virtual Edge (MVE) Solution combines Fortinet software with Megaport’s global network of 230 cloud on-ramps and 700+ data centres.
Palo Alto Networks
- Edge hardware: Entry-level NGFW hardware including the PA-220, –400, -800 series.
- Wireless support provided through partnerships such as the Cradlepoint NetCloud Service that combines wireless LTE and 5G endpoints with a managed service.
- Cloud virtual appliance: Prisma SD-WAN with CloudBlades for branch services like security and multi-cloud connectivity without needing to update the branch appliance.
- Managed Service: Prisma SD-WAN
Fortinet vs Palo Alto Networks – Cloud-managed security products
- Cloud Computing with SASE integrations
Cloud-managed security products
As the previous section illustrates, the rise of virtual appliances and managed services has created considerable overlap between product categories. As we detailed in our SD-WAN and SASE overview and SASE market guide articles, SASE has become the umbrella category for a suite of managed security services that splits the network data and control planes into edge hardware with Internet PoPs (data plane) and a cloud service and management interface (control plane). Both Fortinet and Palo Alto Networks deliver managed security services via a combination of SD-WAN and SASE products.
As a reminder, SD-WAN covers the physical and logical (virtual) interconnects and SASE is a compendium of security services, including NGFW, Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Zero-trust network access (ZTNA) with a management, logging and monitoring interface that sometimes feeds into a separate XDR (Extended Detection and Response) service.
The previous section covered the network, SD-WAN layer, the following table summarises how Fortinet and Palo Alto compare in security services.
Fortinet
SASE services: FortiSASE is a cloud-based service designed to secure remote users that is powered by and includes the security features of FortiOS. Fortinet also offers most of these products as a la carte managed services (for example, FortiClient Managed Services).
Security and management features:
- Malware prevention including zero-day protection against unknown threats using dynamic analysis in cloud sandbox environments (FortiSandbox).
- Ransomware protection using behavioural analytics
- IPS with encrypted traffic analysis
- SWG filtering (FortiGuard Web Filtering Service)
- Application controls using complex signatures to detect Web, DB and SaaS applications.
- DLP
- ZTNA that works with Microsoft AD, Okta and other identity providers.
Logging and analytics to help troubleshoot problems and incidents and perform compliance audits.
Palo Alto Networks
SASE services: Prisma Access, a comprehensive SASE product that works with Prisma SD-WAN and includes a connection client (GlobalProtect) supporting split tunnelling and digital experience monitoring of end-to-end performance.
Security and management features:
- NGFW as-a-service
- SWG integrated with CASB to deliver URL filtering, threat protection, malware analysis (Wildfire), DLP and remote browser isolation
- ZTNA with RBAC
Fortinet vs Palo Alto Networks – Consulting and advisory services
Consulting and advisory services
Both companies also have consulting and advisory services. These have become critical to organisations facing increasingly sophisticated and obfuscated threats, particularly those using vulnerabilities in the software supply chain like the SolarWinds and Log4j episodes.
Fortinet
- FortiCloud SOC-as-a-service providing continual monitoring, detection, incident response, incident investigation and forensics, device management.
- FortiGuard Labs Consulting to assist in developing and perfecting a security architecture, training and analysis and mitigation of particular threats.
- FortiGuard global threat intelligence
Palo Alto Networks (Unit 42 group)
- Incident and data breach response
- Proactive assessments
- Global threat intelligence
Fortinet vs Palo Alto Networks – SOAR offering
Both companies offer SOAR (Security Orchestration, Automation, and Response) products — FortiSOAR and Palo Alto Cortex XSOAR — for organisations running internal operations centres.
Conclusion and Recommendations
It is easy to see why Fortinet and Palo Alto Networks consider themselves to be fierce rivals since, as the following product summaries from their respective investor day meetings illustrate, they each have a comprehensive set of network security products and compete across every product line. Nonetheless, both companies were founded on firewall technology and NGFWs remain their strength, with each consistently ranked among the top network firewalls by analysts, product reviewers and buyers.
Fortinet vs Palo Alto Networks – Summary
Summary
Both Fortinet and Palo Alto have evolved their firewall OS and filtering software into a range of security products, including virtual appliances and managed cloud services. Given their maturity, with hardware to suit any installation, both should be on any organisation’s shortlist when evaluating firewall products. Although each enterprise will assess the strengths and weaknesses of Fortinet and Palo Alto Networks in light of their needs and priorities, based on customer comments and our research, we offer the following considerations.
Fortinet
- Easy to deploy.
- Broader product range, particularly suitable for SOHO, retail and WFH installations, including cellular LTE and 5G bridges for SD-WAN endpoints.
- Three models of custom SoCs to accelerate network processing and increase hardware efficiency.
- Customers report more pricing flexibility.
- Ability to buy SASE components as individual products.
- Consistently profitable financial position with accelerating revenue.
Palo Alto Networks
- World-class firewall technology.
- Excellent integration with third-party management tools and APIs.
- Aggressive adopter of cloud services with Prisma Cloud customer base growing 30 per cent and usage 69 per cent in the past year.
- Broader SOAR and XDR offerings.
- Full-featured, Internally-managed SASE product with more than 100 POPs in 77 countries.
- Continued rapid growth, with positive operating income and free cash flow (FCF).