VM-SERIES VS.

FORTIGATE–VM ON AWS
OVERVIEW AND CHALLENGES Top Selling Points
Product Overview • Consistent leader in Gartner’s Magic
Palo Alto Networks® VM-Series next-generation firewall is an AWS® Networking Competency and Security ­Quadrant® for Enterprise Network Firewalls
Competency Partner offering that enables customers to securely move production workloads onto AWS with • App visibility and control, regardless of
confidence that their applications and data are protected from cyberattacks. Complementing native AWS security port, helps reduce threat footprint
features, the VM-Series protects workloads with whitelisting policies based on applications and users and then

SELLING POINTS
prevents known and unknown threats within the application flows. Automation features enable security to be • Prevention of known and unknown threats
deployed at the speed of the cloud. within allowed apps
Customer Challenges • Control over file transfers by type and
app function
• Must embrace the Shared Responsibility Model – security for the applications and data are the customer’s
responsibility. • Automation features for “touchless”
firewall deployment and policy updates
• Lack complete visibility into the applications running in their AWS deployment.
• Central management of physical and
• Need to protect their AWS environments from known and unknown threats, whether inbound or moving
­virtualized firewalls for policy consistency
laterally, while preventing data exfiltration.
• Scalable security with Auto Scaling ­integration
• Need central management for policy consistency; must automate deployments to ensure security keeps
and Transit VPC support
pace with the cloud.

Key Features Gateway: Protect workloads

VM- from internet-borne threats
• Complete visibility into applications, content and users improves security Series

decisions C4

• Segmentation and application whitelisting aid data ­security and compliance Segmentation: Separate applications
FEATURES

and data for security and compliance

• Applications and data are protected against known and unknown threats
VM-
Series

• Multiple defenses block data exfiltration and ­unauthorized file transfers C4 Hybrid: Extend application
development onto AWS
• Centralized management delivers policy consistency
• Automation features help streamline deployments PN
VM-

• Auto Scaling and Transit VPC enable security at scale GlobalProtect: Extend policies
Series
GP

C4 to remote users and devices

© 2018 Palo Alto Networks, Inc. | VM-Series vs. Fortigate-VM on AWS | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 1
VM-SERIES VS. FORTIGATE–VM ON AWS
FEATURE COMPARISON MATRIX
• High availability: VM-Series leverages native AWS services to support both traditional
active/passive and Auto Scaling HA. FortiGate-VM relies on worker node, manual con-
figuration and invocation of scripts for HA and has no health check mechanism for the Feature VM-Series (8.1) FortiGate-VM (6.0)
script or node, leading to a possibility of a single point of failure, thereby defeating the
purpose of having HA to secure production workloads. Bootstrapping with Multi-NIC Yes No
• Bootstrapping: VM-Series can be bootstrapped with multiple NICs along with Panorama™
HOW TO COMPETE

registration and full configuration. It simplifies VM-Series Zero Trust deployment and is Active/Passive Worker node
a key feature for automation. FortiGate-VM can be bootstrapped with only a single NIC and native with scripts for
High availability implementation
and has no provision for FortiManager® registration. Customers will have to manually cloud services both HA and
add more interfaces for segmentation, and this limitation will impede the ability for for Auto Scaling Auto Scaling
rapid, fully configured FortiGate-VM deployments with central management. Custom metrics of firewall for
Eight Two
• Transit VPC: Palo Alto Networks Transit VPC template has a built-in provision to scale CloudWatch monitoring
automatically as the number of subscribing VPCs reach a threshold. Fortinet® has no s­ caling
consideration for subscribing VPCs, so customers will have to manually track the resource Predictable performance with
Yes No
utilization of FortiGate-VMs and intervene to spin up a new set of firewalls for additional all features enabled
VPCs.
Detect and prevent application
• CloudWatch metrics: VM-Series can publish eight different native PAN-OS® metrics to Yes No
port-hopping
AWS CloudWatch, which gives customers more flexibility to scale in dynamic environ-
ments. FortiGate-VMs can only publish two FortiOS™ (concurrent sessions and session
Prevent credential theft Yes No
setup rate) metrics to AWS CloudWatch, limiting customer’s scaling options.

MFA to secure critical applica-

Yes No
OBJECTIONS tions

Fortinet claims to have unparalleled third-party certifications

• Fortinet maintains a comparison matrix of all third-party tests its products have undergone to
position itself as the security leader in front of its customers. This matrix is not a security assess- CONTACTS AND RESOURCES
ment of a vendor’s capability to prevent successful cyberattacks. Always encourage a PoC to • Customer-facing content: go.paloaltonetworks.com/cloud
demonstrate the true threat prevention capability of our platform.
• Competitive intel: compete.paloaltonetworks.com
Fortinet claims performance issues with our single-pass architecture
• Single-pass architecture uses a unique parallel processing architecture in which multiple deep • Partner-facing content: www.paloaltonetworks.com/partners
packet inspection engines are processed in parallel, unlike the traditional UTM-based linear
­processing architecture, where performance degrades with additional inspections turned on.
Fortinet claims to offer the industry’s only “Security Fabric”
• Fortinet’s security fabric is a paid for API alliance with partners and is a mesh of helper For-
ti-products stitched together to emulate a platform. Palo Alto Networks Security Operating
Platform, built from the ground up, prevents successful cyberattacks consistently across the
cloud, network and mobile by leveraging built-in automation, analytics, tight integration across
the products and an ecosystem of partners.

© 2018 Palo Alto Networks, Inc. | VM-Series vs. Fortigate-VM on AWS | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 2