Sunteți pe pagina 1din 4


Not for Distr

Battle Card

WatchGuard XTM 5 & 8 vs. Fortinet

Overview: WatchGuard vs. Fortinet
WatchGuard offers an unbeatable combination of performance, security, and ease of use. Fortinets UTM product strategy is based heavily on its ASIC technology. The custom silicon allows their boxes to run very fast for packet filtering and VPN, but at a considerable penalty for general-purpose tasks such as AV and IPS scanning. Customers and resellers alike realize the numbers that matter are those showing how an appliance performs when delivering security services, not just packet filtering. Gartner has indicated that prospects are turned off by products with a wide gap between packet filter and UTM performance.

Questions to ask prospective buyers:

Do you get the fastest performance?
WatchGuard XTM appliances provide faster throughput for anti-virus and IPS compared toFortinet models at the same price. Fortinet products are designed to optimize packet filter throughput, but they fall down when security services are enabled.

Cost / Speeds&Feeds / Features XTM 515 XTM 525 XTM 535 XTM 545 FG-100D FG-200B FG-300C AV Throughput** IPS Throughput** Drag and Drop VPN Number of Reports Application Proxies
1.5 Gbps 1.6 Gbps Yes 50+ Yes 1.7 Gbps 1.7 Gbps Yes 50+ Yes 1.8 Gbps 1.8 Gbps Yes 50+ Yes 2 Gbps 1.9 Gbps Yes 50+ Yes 300 Mbps 95 Mbps 200 Mbps

Do you have the best possible security?

WatchGuard incorporates best-inclass security services from industry stars such as Websense, AVG, and Commtouch, and incorporates them into a well-integrated, simple management interface.

950 Mbps 650 Mbps 1500 Mbps No <5 No No <5 No No <5 No

Do you need comprehensive historical reporting without breaking the budget?

WatchGuard bundles over 50 predefined historical reports, while FortiGate products come with fewer than 5 unless you purchase costly FortiAnalyzer.

Example comparison AV Throughput** IPS Throughput** Drag and Drop VPN Number of Reports Application Proxies

XTM 810
2 Gbps 2.1 Gbps Yes 50+ Yes

XTM 820
2.1 Gbps 2.4 Gbps Yes 50+ Yes

XTM 830
2.3 Gbps 2.7 Gbps Yes 50+ Yes

1.3 Gbps 4.0 Gbps No <5 No

1.7 Gbps 6.0 Gbps No <5 No

Do you need to connect multiple offices?

WatchGuard System Managers Drag and Drop VPN method allows for fast, easy, secure connections between locations.

Do you use multiple WAN connections?

WatchGuards Fireware XTM supports up to 4 WAN connections, and has easy yet powerful multi-WAN failover and load balancing features.

* Fortinet does not publish UTM throughput, but advises customers wishing to run multiple security services to size based on the lowest performance number, typically Anti-Virus (AV) throughput.

Do you want to control traffic priority with QoS?

Fireware XTM has a richer implementation, allowing you to control priority of users, applications, or data flows. Fortinet has a minimal implementation and what is there may be configured via the CLI only.

Get red. Get secured.


Not for Distr

Battle Card

Fortinet and TCO

P  rice per Mb of AV performance is much higher than WatchGuard Fortinet products are fine for fast firewall/ VPN performance, but for customers looking for true unified threat management, reaching performance equivalent to WatchGuards XTM 8 Series, even spending thousands more, is not attainable, even on their very high-end equipment! C  entralized Logging and Management Tools Fortinet charges extra for FortiAnalyzer and FortiManager. Each of these products adds thousands to the total system price (Minimum $9,995 for FortiManager 400A, the minimum FortiManager for the 310 and 620 models, and $1,495 for the FortiAnalyzer 100C). By contrast, WatchGuard bundles full centralized management and logging/ reporting functionality with every XTM appliance. S  pam Quarantine When using the WatchGuard spamBlocker subscription, full-featured quarantine server software is included. Fortinets quarantine is part of the separate FortiAnalyzer product (minimum $1,495 extra).

Points of Emphasis
L  ow Speed: Fortinet ASIC technology is GOOD for firewall performance, but very POOR for Content Inspection performance. Fortinets own internal sales literature advises using the slowest speedtypically AVin sizing boxes for customer networks. For example FortiGate 620B offers a Firewall with 16,000 Mbps, but only 250 Mbps AV ONLY throughput! M  ore Expense: Fortinet charges for items that WatchGuard bundles. Central Management & logging cost extra with Fortinet. The three year TCO for Fortinet solutions compared to WatchGuard looks like this: ~ Average 3.11x for appliance + MVPN clients ~ Average 2.32x for UTM bundle ~ Average 2.93x for UTM bundle + MVPN clients Other additional costs: ~ Central Management appliance $2,254 extra ~ Logging appliance $1640 extra

AV Throughput (Mbps) vs. 1-year Bundle Price (USD)

2400 XTM 810 XTM 830 XTM 820 XTM 545 XTM 525 XTM 515 1200 XTM 535 Fortigate 300 C Fortigate 600C

L  ess Usability: Fortinet does not offer much in the way of useability or network visibility tools, unlike WatchGuard, which includes full centralized management and logging/ reporting functionality with every XTM Series appliance. Their solutions do not include: Drag and Drop VPN, HostWatch or Traffic Monitor. There are two included reports unlike the 65+ provided standard with WG XTM solutions.  Anti-virus lock-in: Fortinets strategy is to lock users into a single set of AV protection by deploying the same proprietary AV at the endpoint and the gateway. WatchGuard deploys a best-in-class AV solution at the XTM appliance, and allows customers to choose a different vendor at the endpoint for double protection.


Throughput (Mbps)

Fortigate 1000C




Fortigate 100D Fortigate 200B















This chart includes models for which this information is published by the vendor. There may be other models sold by the vendor for which UTM throughput or price was unavailable at the time of this publication.

Get red. Get secured.


Not for Distr

Battle Card

Significant Feature Advantages for WatchGuard

Feature XTM Series FortiGate Why it matters
Application proxies provide smart defaults for out-of-the-box protection. They allow almost unlimited ability to custom-tailor the security policy to the organizations needs. Proxies not only provide zero-day attack prevention, they also add robust client and server protection capabilities such as command limiting, server cloaking, control over cookies, and much, much more. WatchGuards suite of real-time monitoring tools make troubleshooting a breeze, with live displays of allowed and denied traffic, user activity, bandwidth usage, and more. Businesses need the ability to define, enforce, and audit security policies based on applications, users, and groups. WatchGuard Application Control manages a higher number of applications than FortiOS (over 1,800 vs. 1,200). Fortinet does not have ALGs for VoIP protocols, which means they have little to no applicationspecific VoIP security. Policy Manager has a major advantage over Web UIs such as Fortinets in that it allows the admin to create the policy offline, then deploy it when needed; it also makes it easy to make multiple versions of a config, then change them in/out to test different configurations.

Application Proxies

Interactive Real-Time Monitoring

Application Control

Protocol-specific VoIP Security Graphical, offline policy editor

Drag and Drop VPN Full suite of reporting tools included Encrypted, TCP-based logging with no extras to buy Next-Generation anti-spam and included quarantine

Makes creation of site to site tunnels a snapand everything you need is included with the product.

Reporting is a costly add-on for Fortinet; the appliances come with only a small handful of reports, compared to WatchGuards over 50 included reports.

TCP ensures messages arent lost; encryption provides security. Fortinet only supports encrypted logging with the FortiAnalyzer (separate purchase).

WatchGuards spamBlocker uses a next-generation anti-spam technology that makes it highly effective, language- and content-independent, and extraordinarily easy to configure. It also includes a full-featured quarantine server package, whereas Fortinets spam quarantine requires the FortiAnalyzer (separate purchase). WatchGuard is the only UTM to offer web reputation defense as a fully integrated security subscription. This cloud-based reputation service aggregates data from multiple feeds for realtime protection and for optimization of anti-virus processing; tests show a reduction of up to 50% in AV processing overhead. Protect your users from malicious web content while reducing web processing time with Reputation Enabled Defense.

Reputation Enabled Defense

Get red. Get secured.


Not for Distr

Battle Card

Best-in-Class Security Solutions

Whereas other solutions rely on small in house teams, WatchGuard partners with the leading companies in the security industry to deliver best in class security solutions to our customers. For Gateway AntiVirus, AVG Accolades: WatchGuard relies on the proven technology of AVG, a company with over $270 million in revenue that is completely dedicated to AntiVirus solutions. AVG has an R&D team of over 200 people, and their products are installed on more than 110 million endpoints worldwide. Best-in-Class AntiVirus: Better Threat Coverage

Webblocker uses a url database from Websense, the #1 stand-alone security company with $370 million in revenue, and a specialist in url filtering and web security. Websense has earned the most web security revenue four years in a row, as measured by IDC, and they were chosen by Facebook as their url filtering solution. Commtouch, antiSpam:

Websense accolades:

In business since 1991, Commtouchs patented RPD technology in the Cloud provides spamBlocker with the only effective antispam solution for low footprint UTM appliances. Commtouch reviews over 4 billion messages per day looking for spam outbreaks. BroadWeb, Application Control: Application Control Signatures and behavioral detection are provided by Broadweb, with over 1800 applications included. This solution provides broader coverage than other UTM vendors, and includes a unique drill down capability for application sub-functions. BroadWeb, IPS: A comprehensive set of signatures is also provided by Broadweb. Every signature update is tested with industry leading, MuDynamics test equipment.


Regular (Proxy)

Extended (buffer)


Extended 500K 1M 1.5M 2M 2.5M

Along with providing more comprehensive signature sets, the WatchGuard engine also incorporates heuristics capabilities to detect new viruses that signatures alone cannot catch.

Fortinet has FEWER administrative tools. Fortinet has LIMITED Multi-WAN support. Fortinet has WEAK QoS support. Fortinet has HUGE performance degradation with security on. Fortinet is MORE EXPENSIVE over time.

No express or implied warranties are provided for herein. All specifications are subject to change and expected future products, features or functionality will be provided on an if and when available basis. 2012 WatchGuard Technologies, Inc. All rights reserved. WatchGuard, the WatchGuard logo, and LiveSecurity are registered trademarks of WatchGuard Technologies, Inc. in the United States and/or other countries. All other tradenames are the property of their respective owners. Part No. WGCE66772_052512

Get red. Get secured.