Next-generation firewalls (NGFWs) are a key part of any IT security strategy, adding a wide range of functionality beyond the basic protection afforded by a traditional network security firewall. In a world where new threats emerge daily, that additional functionality and network traffic visibility is sorely needed.
Sophos XG and Fortinet FortiGate both appear on eSecurity Planet's list of 10 top NGFW vendors. What follows is a look at the key features and strengths and weaknesses of each solution. Which one is best for you will depend on your security and throughput needs – and budget.
Sophos XG firewalls provide a good balance of value and security for SMEs, with a wide range of functionality, including a Web application firewall, a secure Web gateway, email protection, ransomware protection and phishing protection – all while blocking 97.82 percent of live, active exploits in NSS Labs tests. One downside of the solution is a lack of integration with third-party endpoint detection and response (EDR) tools.
Blocking 99.71 percent of live, active exploits in NSS Labs tests, the Fortinet FortiGate firewalls offer solid security for customers of all sizes, with hardware and cloud-based solutions available in a wide variety of configurations and price points. The company's FortiOS operating system provides a holistic view into devices, traffic, applications and events throughout the network.https://o1.qnsr.com/log/p.gif?;n=203;c=204660769;s=9477;x=7936;f=201812281319310;u=j;z=TIMESTAMP;a=20394213;e=i
NSS Labs testing is where the biggest differences between the two seem to be. FortiGate was better at blocking threats, yet Sophos rated higher for the effectiveness of its intrusion prevention component. NSS factors exploit block rate and evasions into a product's overall IPS score.
The Sophos XG-750 scored higher than the FortiGate 600D in throughput, while the FortiGate 3200D bested all comers in throughput and connection rates.
Sophos and Fortinet features and options
Sophos XG Firewall provides intrusion prevention, advanced threat protection, cloud sandboxing, dual AV, Web and app control, email protection and a full-featured Web application firewall. Sophos' Synchronized Security links endpoints and firewalls to enable them to communicate and share information, identify compromised systems, and isolate them until cleaned up.
XG Firewall includes reporting at no extra charge, with the option to add Sophos iView for centralized reporting across multiple firewalls. Hundreds of reports can be generated automatically with customizable parameters such as traffic activity, security, applications, Web, networking, threats, VPN, email and compliance.
Fortinet's FortiGate NGFWs offer high performance and integrated security, providing full visibility into users, devices, applications and threats on the network, with the ability to apply advanced protection anywhere in the world. FortiGate appliances provide a fully redundant architecture to eliminate any single point of failure, and are available with multiple 100 GbE interfaces and throughput of more than 1 Tbps.
FortiGuard security services are integrated with the global FortiGuard Labs network to ensure they're constantly updated with continuous threat intelligence, dynamic analysis for advanced threat detection, and automated mitigation to defend networks from advanced cyber attacks. The appliances also leverage the Fortinet Security Fabric, with open APIs and custom fabric connectors to enable security tools to interoperate.
Recent NGFW product improvements
The newest version of the Sophos XG Firewall adds Synchronized App Control, which identifies, classifies and enables the control of all previously unknown applications active on the network. "Synchronized App Control on XG Firewall can reduce the security risks introduced by unidentified traffic by allowing administrators to holistically see what is on their network," Sophos senior product marketing manager Chris McCormack told eSecurity Planet by email.
Recent enhancements to Fortinet's offering include the introduction of FortiGate Virtual Machine (VM) for customers of Oracle Cloud and VMware Cloud on AWS; the release of version 6.0 of the FortiOS network security operating system with over 200 added features; the introduction of the new FortiGate 500E, 300E and 6000F series of firewalls; and the availability of a ruggedized FortiGate firewall solution designed for operational technology (OT) networks in critical infrastructure and industrial organizations.
Strengths and weaknesses: Sophos
Sophos regularly adds to its intellectual property via acquisitions of technology-driven companies, according to Gartner, which notes that the company's revenue growth and customer retention rate are higher than the market average. Clients say Sophos' good price for value is a key factor in choosing the solution, particularly when purchasing a firewall cluster.
Still, the research firm warns that the product may not be a good fit for very large enterprises, since Sophos' business strategy focuses on companies with 5,000 employees or less.
"Surveyed clients would like to see Sophos providing integration with leading endpoint protection platforms, in addition to the vendor's own solutions," Gartner notes, adding that surveyed clients and channel partners have also said they'd like to see significant improvements in vendor support.
Strengths and weaknesses: Fortinet
Fortinet offers a good balance of price and performance, according to Gartner, with an "extensive appliance portfolio, good total cost of ownership for bundles and a flexible discount strategy" combining to make it a good shortlist candidate for all enterprise firewall appliance use cases.
Still, the research firm notes that Fortinet seems to be focusing most of its development resources on integrating its existing solutions together at the expense of other areas.
And the support experience can be frustrating. "Fortinet does not offer the direct vendor support and premium subscriptions that large enterprise clients might require," Gartner notes. "Client feedback on support is directly impacted by the quality of the channel partner: it gets an average score."
NSS Labs test results
Recent tests by NSS Labs found that the Fortinet 3200D and 600D both blocked 99.71 percent of live, active exploits, while the Sophos XG-750 blocked 97.82 percent. The Fortinet 600D's TCO per protected Mbps was $5, compared to $9 for the 3200D and $6 for the Sophos XG-750.
The Sophos NGFW had a higher Security Effectiveness rating of 90.4 percent compared to 78.6 percent for both Fortinet devices – the rating is a combined look at the effectiveness of the firewall and IPS, along with evaluations of stability and reliability. Sophos rated higher for the effectiveness of its intrusion prevention component. NSS factors exploit block rate and evasions into a product's overall IPS score.
Sophos scored higher than the FortiGate 600D in throughput, while the FortiGate 3200D bested all comers in throughput and connection rates.
Both vendors' products had trouble with html obfuscation, a less critical issue than evasions operating at lower layers of the networking stack.
IT Central Station users give FortiGate an average rating of 8.1 out of 10, with Sophos XG following close behind at 8.0 out of 10. Similarly, Gartner Peer Insights users give Fortinet an average rating of 4.5 out of 5, and Sophos an average of 4.2 out of 5.
Many Sophos XG reviewers cited the system's ease of use as a key benefit. Even with multiple firewalls with different access levels, one reviewer noted, "it's very flexible and very easy to use." Cloud management is another key benefit, with one reviewer noting that "anywhere I am, I can always manage the firewall."
FortiGate reviewers said the implementation process is straightforward and the product is easy to use. "The reporting you receive out of this appliance is excellent," one reviewer noted. "You will not need an external management system." Another wrote that the product is "flexible enough to handle everything we could want."
A senior IT infrastructure solutions engineer at a tech services company wrote that Sophos XG's competitive pricing and ease of management were key factors in choosing the product. And it's been "a satisfactory solution so far, no problems," he wrote. "It's very easy to use, and we have technical support for any issues, so it's quite good."
His only quibble was that the firmware update process could be easier. "If they can make the update process much more automatic that would help," he wrote.
Fabrizio Volpe, senior consultant at Unify Square, wrote that one of FortiGate's key strengths is that "the graphical interface is complete and easy to use, especially if we think there is a list of operations that we are able to perform inside," adding that it provides "a great deal of flexibility to design the best solution for our company's needs."
Volpe's main issue with FortiGate lies with the technical support. "Often, your problem is diverted to local partners," he wrote. "I have to say that I have had mixed results with them."
Sophos XG Firewall is available in a variety of hardware models, for popular virtualization platforms, as a software appliance for x86 hardware, and in Microsoft Azure.
Fortinet's NGFWs are available as an appliance, virtual machine, and in the cloud, with the same solution available across all leading public cloud platforms with unified management.
Pricing for Sophos XG Firewall starts at $249 per year for complete protection on the entry-level XG 85 appliance – additional pricing is based on performance and features required.
Each Fortinet model has a base price with service and support options available. The company's entry-level NGFW appliances range from $430-$1,400, while mid-range enterprise NGFWs range from $2,000 to $14,000.