tag:blogger.com,1999:blog-1532920267188739518.post308494664667498699..comments2024-03-06T03:28:49.328-06:00Comments on Firewall Guru: Fortinet vs Palo Alto NetworksSebastianhttp://www.blogger.com/profile/15029150331907372597noreply@blogger.comBlogger33125tag:blogger.com,1999:blog-1532920267188739518.post-23937461805185232992014-08-13T23:59:15.675-05:002014-08-13T23:59:15.675-05:00Sonicwall? Really? They are not even in the same...Sonicwall? Really? They are not even in the same realm as Palo Alto or Fortinet. Sonicwall is more for Small/Mid size companies. Also, Juniper has gone down the drain with their escape from Netscreen to the SRX series.Unknownhttps://www.blogger.com/profile/13197493352053007881noreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-28721784547023665922014-01-30T18:28:38.137-06:002014-01-30T18:28:38.137-06:00Surprised no one suggested Dell SonicWALL .. When ...Surprised no one suggested Dell SonicWALL .. When you're going to spend money on a multiyear solution, you owe it to yourself to keep your options open.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-39446528932356430732013-12-27T00:10:38.127-06:002013-12-27T00:10:38.127-06:00I just made new post on my recent POCs for Fortine...I just made new post on my recent POCs for Fortinet and Palo Alto. Here is the link if someone interested. http://technologyshifts.blogspot.com/<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-278142617301544762013-12-25T00:37:39.835-06:002013-12-25T00:37:39.835-06:00http://technologyshifts.blogspot.com/
http://technologyshifts.blogspot.com/<br />Arthttps://www.blogger.com/profile/08934936971107311078noreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-6995063940958946632013-11-03T13:43:40.538-06:002013-11-03T13:43:40.538-06:00So, we have a bunch of Fortigate 310/200/400 firew...So, we have a bunch of Fortigate 310/200/400 firewalls/manager/analyzer. Well we are still at FOS 4 MR2. I know that´s not supported anymore since months/years. But after running an upgrade on one of the small ones I lost not the whole configuration but only the admin password was reset to default. And I´m really afraid of deleting the whole or part of the configuration with a firmware upgrade onAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-16913750793959916292013-10-07T10:01:49.108-05:002013-10-07T10:01:49.108-05:00I work as network administrator and use both Palo ...I work as network administrator and use both Palo alto and Fortigate firewalls. I am working with Fortigate firewal and other devices ~4 years. I am new to Palo alto and Panorama, we bougth them just this year.<br /><br /><b>Fortigate</b><br /><br /><i>Good</i>:<br />*Easy to configure common things.<br />*VPN configuration is in one place, not hard to configure.<br />*SSL-VPN offers good optionsDzonatanasnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-255762311135100412013-08-06T17:27:37.672-05:002013-08-06T17:27:37.672-05:00We are small MSSP and we had huge issues with rand...We are small MSSP and we had huge issues with random 100% data plane issues with our Palo units. There datasheets aren't even close when used in the real world. In fact if you look at the current round of datasheets they have a note that says "in ideal conditions". I don't know many firewalls sitting on the Internet living in ideal conditions these days. We moved to Fortinet andAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-44971988579969389682013-04-21T08:24:46.548-05:002013-04-21T08:24:46.548-05:00I've made 100% of IT infrastructure decisions ...I've made 100% of IT infrastructure decisions (AV, content filtering, e-mail spam filtering, firewall, routing, switching, VPN and virtualization to name a few) over multiple decades based on my own findings; paying zero attention to Gartner Group "research" (and others like them).<br /><br />Been around the block with firewalls: Axxent, Cisco, Chuck Point, NS/Juniper, ... and IDSAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-11682811305503399362013-04-15T19:00:05.327-05:002013-04-15T19:00:05.327-05:00Great blog... My question is why does PA keep domi...Great blog... My question is why does PA keep dominating the Gartner quadrant for NGFW? Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-1886955387350637732012-10-15T15:19:26.373-05:002012-10-15T15:19:26.373-05:00After reading the NGFW vs UTM posts,
I am starti...After reading the NGFW vs UTM posts, <br /><br />I am starting to think the passion of the PAN folks is motivated by their desire to keep their job in a tight economy after having spent well more than double what they needed to meet requirements.<br /><br />The "Easy button" is overrated. Just my $.02<br />--<br /><br /><br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-83074982618302679912012-08-30T03:24:44.368-05:002012-08-30T03:24:44.368-05:00A very interesting read. Some of the comments abou...A very interesting read. Some of the comments about Fortinet are misleading, wrong or perhaps based on old information.<br /><br />You can do 99% of things in the Fortinet GUI. There are a tiny number of things such as PPTP setup that need the CLI.<br /><br />Reporting and monitoring is good with the FortiAnalyser but does require an investment in time to setup.<br /><br />Troubleshooting with Paulhttps://www.blogger.com/profile/06484323239650894959noreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-39397505641167864042012-08-13T00:02:06.254-05:002012-08-13T00:02:06.254-05:00Correction to my previous request. Its the intern...Correction to my previous request. Its the internal interface that I brought down.<br />Since I brought down internal interface, I can't access this box. What are my options now? Your help is greatly appreciated.vgihttps://www.blogger.com/profile/03158163301319735273noreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-42705526500657638262012-08-12T23:59:16.278-05:002012-08-12T23:59:16.278-05:00Hello Mate,
I am new to networking and hoping you ...Hello Mate,<br />I am new to networking and hoping you will do me a favor. I have a quick question about fortigate. I have one of these units and no console cable. So using the RJ45 cable to internal port and accessed the web console. My ignorance, I went to System->interfaces and clicked on bring down interface. Now I can't access this box. What are my options now? Your help is vgihttps://www.blogger.com/profile/03158163301319735273noreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-18969622009092608582012-08-09T22:11:08.387-05:002012-08-09T22:11:08.387-05:00Indeed, many thanks, Sebastian. Best of luck. Will...Indeed, many thanks, Sebastian. Best of luck. Will be reading.a fannoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-64235250857518708412012-08-09T09:37:39.945-05:002012-08-09T09:37:39.945-05:00Thanks Michel,
of course if it was entirely up to...Thanks Michel,<br /><br />of course if it was entirely up to me you know what platform we would choose ;)Sebastianhttps://www.blogger.com/profile/08701147779838193450noreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-59853067647183516162012-08-09T00:12:15.388-05:002012-08-09T00:12:15.388-05:00Congratulations with your new job.
I truly hope yo...Congratulations with your new job.<br />I truly hope you will decide to choose Fortinet as UTM solution so this blog will extend and extend.<br /><br />It has been and is a great resource for troubleshooting Fortigates, thank you for that!Michel Schuurmannoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-86549484055226827152012-07-31T02:25:34.829-05:002012-07-31T02:25:34.829-05:00We are MSSP both serving customer using PA and For...We are MSSP both serving customer using PA and Fortinet. Both have there pro and consAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-72857653929767369512012-06-21T04:07:29.944-05:002012-06-21T04:07:29.944-05:00Followup on the Defcon19...
Claim: Some applicati...Followup on the Defcon19...<br /><br />Claim: Some applications can only be identified on specific ports. <br /> <br />Partially true. The application example given was DNS. The identification scheme for DNS includes a check for port 53 since we don¹t expect any real world DNS service to be running on any other port and since DNS traffic is often very short and difficult to reliably identify by Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-38437897662788444232012-06-21T04:07:02.536-05:002012-06-21T04:07:02.536-05:00Followup on the Defcon19...
Claim: Does not inspe...Followup on the Defcon19...<br /><br />Claim: Does not inspect both Client-to-server and Server-to-client directions of traffic. <br /> <br />Not true. Traffic is inspected in both directions. We repeated the test described in their claim, sending an HTTP GET request followed by a FTP server response on the same session. The session is initially identified as web-browsing but switches to Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-61701797281838723742012-06-21T04:06:24.630-05:002012-06-21T04:06:24.630-05:00Followup on the Defcon19...
Claim: Application fi...Followup on the Defcon19...<br /><br />Claim: Application firewalling does not replace the need for IPS. <br /> <br />Absolutely true. There is no question that IPS technology is a requirement. App-ID is not intended to replace IPS or even reduce the need for it. This is the reason we have invested in building a best-in-class IPS functionality into the device. This is also why IPS is a critical Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-81134962122084233702012-06-20T19:22:52.461-05:002012-06-20T19:22:52.461-05:00Ok enough of spamming but thats the comments I hav...Ok enough of spamming but thats the comments I have about PA - not really negative but still things you should keep in mind.<br /><br />By the way one of my posts seems to be automagically deleted for some unknown reason (regarding testcase and previous vuln)?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-38834545689555459792012-06-20T19:20:58.878-05:002012-06-20T19:20:58.878-05:00continued...
* Performance worries
Found at the ...continued...<br /><br />* Performance worries<br /><br />Found at the PA forums:<br /><br />" <br />Perfomance on PA 4060 - Huge Disappointment: <br /> <br />We are having a poc at an ISP with a 4060 . It is a huge disppointment performance wise . We are seeing very high dataplane utilization on very small sessions. 50% on 220,000 sessions. 38% on 149,000 sessions. This is a box that is Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-71110788840276077162012-06-20T19:15:33.959-05:002012-06-20T19:15:33.959-05:00continued...
* DEFCON19
Juniper seems to be upse...continued...<br /><br />* DEFCON19<br /><br />Juniper seems to be upset at Palo Alto Networks:<br /><br />www.youtube.com/watch?v=s2cz--bzZRE <br />DEFCON 19: Network Application Firewalls: Exploits and Defense <br /> <br />http://www.youtube.com/watch?v=G8U-1J4SI4o <br />DEFCON 19: Network Application Firewalls: Exploits and Defense ( w speaker) <br /><br />I have got a response from a Sales Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-89589873614124074212012-06-20T18:52:12.656-05:002012-06-20T18:52:12.656-05:00continued...
* Application dependencies
Some app...continued...<br /><br />* Application dependencies<br /><br />Some applications, for example "Facebook", have dependencies towards other applications which must also be enabled for a particular rule to function. This gives that occassionally one are forced to open a bit too much (based on content of the flow/session).<br /><br />This is said to be addressed in PAN-OS 5.0 who will betterAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1532920267188739518.post-72530243569831688592012-06-20T18:51:45.505-05:002012-06-20T18:51:45.505-05:00Stuff to watch out for (or at least keep in mind):...Stuff to watch out for (or at least keep in mind):<br /><br /><br />* SSL-decryption (whitelistning).<br /><br />PA uses a whitelist for certain CN so its SSL decryption wont block stuff that cannot be decrypted anyway (for example windowsupdate, which if being SSL-terminated wont function).<br /><br />Current list is available at https://live.paloaltonetworks.com/docs/DOC-1423 <br /><br /><br />Anonymousnoreply@blogger.com