Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
FlashOver
New Contributor

Performance experience

Hi. Working for enterprise customers, we see a lot of Cisco routers and more and more Juniper SRX used for network routing. So I like Fortigate a lot more and it can be configured for OSPF, BGP and RIP and so on as well. But I do not have experience regarding throughput. Can somebody tell me from his experience, if I Fortigate can be used for routing in high performance networks as well or is a Juniper SRX a lot better/faster doing that? The Juniper SRX is a router with Security Features while Fortigate is a Firewall with routing features... And I haven' t seen somewhere throuputh tests focusing on routing for fortigate. Would be great if somebody can share his experience. PS: We' re talking about a Fortigate with only one any any rule and nothing further enabled beside routing and interface configurations. PPS: Have talked to two big fortinet partners and consulting companies - they implement Juniper SRX or Extreeme Networks for routing and not Fortigate. But they can not tell my why - the said, Juniper SRX is a router and our customer requested a router.
9 REPLIES 9
emnoc
Esteemed Contributor III

Why would you want to deploy a L3 firewall as router with a " any any" single policy?
The Juniper SRX is a router with Security Features while Fortigate is a Firewall with routing features
Also I think your mistaking a SRX, it' s a security gateway that just like the fortigate, that does routing and have routing features ( bgp, ospf, vpn, mpls {juniper}, gre and ipnip tunnel,etc....) A MX is more of a router with some security functions & features. But the two are totally different and serves a different audience. It would be like tying to compare a F150 pickup to a International They all have wheels and a powerplant, but does two different functions and serves a different purpose. Now would I ever use a fortigate or SRX for a pure router, no & hell no. Here' s the reason why; they are firewalls 1st ( that' s the area they exceed in ) they have limits on the number of session ( typical of any firewall , regardless if it has one fwpolicy or 4k fwpolicies ) other things like a true " router" would be much better for routing firewalls have limits on bgp and ospf performance and memory ( cpu size and memory ) limits on the number of interfaces & interface types firewall typically have higher latency number than a router or L3switch they have firewall enhance features for acceleration & inspection of " security" issues ( a router does not , and it would be a waste of money to but one ( firewall ) ) per gbps a firewall is typically more pricey when compared to a router per interface a firewall is more pricey when compared to a router etc..... I think your should follow the fortinet partners logic and use a router as router. Use a firewall as firewall. You have a host of devices from MX, Mi ( juniper ) or ISR/ASR ( cisco ) that would be better served as a router, and cheaper if I may add

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
HA
Contributor

Hello, I deployed SRX (cluster of SRX 240) for one of our customer 4 years ago. NEVER AGAIN ! That' s probably the worst platform I had to deal with (I have experience with Checkpoint, Palo Alto, Juniper SSG, Fortinet, and cisco). Basically, I had problem with almost all of the implemented features. Integration with NSM (mgmt platform): impossible to push config. SRX stop sending logs to. UTM features: firewall stopped when enabling AV or URL filtering. HA instability: primary move to slave status with any reason. Nightmare upgrade: more than 90 minutes to upgrade two nodes. OSPF: very nice bug this one. 3 DAYS to establish an OSPF adjacency. The devices (and the OSPF process) was restarted several times. The number of bug of this platform is countless... Since month ago, we replaced the cluster of SRX with cluster of FGT240D. No problem at all !! Throughput is better on Fortigate because of the ASIC power by the way. Regards, HA
FlashOver
New Contributor

Hi emnoc, you' re right. Dedicated router (built for that job) are of course better, but we see the SRX a lot of time in core networks in the energy and financial market. Juniper MX or Cisco ASR would be better of course, but it seems, that a lot of deployments like that the SRX is a bit of everything. @ HA 4 years is a long time - that was a terrible start for SRX as far as I heard and could read. Have you had the same problems still with the latests JunOS releases (12.1 for example)? Juniper representatives tell me it' s all good now - of course they say that. While I know some damed big installations with SRX in core working fine, I think there has a lot changed. Of course I would prefer a Fortigate as well - but when you look to job and hire portals, everybody as asking for Juniper or Cisco knowhow beside CheckPoint... that' s the current situation within the enterprise customers.
emnoc
Esteemed Contributor III

My past & current experience with Juniper JunOS has been mix good and bad , but no worst than fortinet or cisco. Where Juniper is lacking imho, is fixing bugs in a timely fashion. I' ve been involved with Juniper since the screen acquisition and when they have bugs in JunOS, they take forever to build a release. But when the fix it, it' s fixed! If your looking for " routing" function in a firewall, hands down juniper beats the pants off fortinet , palo and even the cisco ASA ( Another Sorry Appliance :) ) If your needing inspection, app-awareness and application controls, fortinet beats the pants off juniper, & look nowhere else except for FireEYE or Palo who are slightly ahead of fortinet in this area If you need SSL/ISPEC remote-access vpn, than Fortigate all the way and stay away from Juniper and Cisco products. That' s my 2ct opinion based on using all three in both network & security sectors. They all have pro and cons, none are the master at anything.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FlashOver
New Contributor

I worked round about 5 years with big Cisco ASA deployments for VPN and Remote Access. For that, I' ts great and I like the AnyConnect client. But that' s it where I can recommend it compared to the main competitors on the market. So for routing I will have a deeper look to JunoOS. On all other topics I still prefer Fortinet even when I have a PaloAlto Appliance next to me as well :) But I bet that it will take some further years to kick CheckPoint out of enterprise networks. Who has a big CP installation with Provider1 and so on, will not give it up just to save " a lot" of money. And it' s also not that bad with GAIA. Thank' s for sharing your experience.
FortiRack_Eric
New Contributor III

Hi Emnoc, Can you elaborate on how Junos is better in routing than FortiOS? I' m curious! Thanks, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
emnoc
Esteemed Contributor III

Simple They have encompass a lot of their routing technologies from classic legacy M series into the SRX. So features like ; mpls/vpls gre-tunnel BGP ( L3-VPN, Inport/export route-policy, support of multiple address-familes,etc....) IPV6 unicast routing MSDP ( multicast ) All chassis bigger than a 2XX series have some type wan-module support ( I can on and on in the advance of routing features that fortinet just don' t even have on the map ) All of the above have been more involved and way earlier than fortinet and way earlier than cisco. Both of the latter have been playing the catch up came. e.g Cisco just now offers BGP in 9.2.1 Fortigate still does not have label recognization for layer2.5 They all have PROs but juniper lineup from a pure network enterprise or SP arena, just flat out beats the pants on fortigate & cisco. Also ruffly looking at it, they hardware have good realistic packet flow process and more so if you do what the OP suggest and make the SRX a router ( packet-based )

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
FortiRack_Eric
New Contributor III

Gre-tunnel is in the CLI to my knowledge. IPv6 Unicast is there too. Don' t know about the rest. Have you been in contact with a Fortinet PM? Cheers, Eric

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
emnoc
Esteemed Contributor III

True but MPBGP/L3VPN afi-6 is not & the same for IPnIP proto41 v6 tunnel. From a routing aspect and features, juniper leads the pack follow by fortinet and cisco is still trying to figure out how to get to 2nd base

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors