Documente Academic
Documente Profesional
Documente Cultură
FORTIGATE–VM ON AWS
OVERVIEW AND CHALLENGES Top Selling Points
Product Overview • Consistent leader in Gartner’s Magic
Palo Alto Networks® VM-Series next-generation firewall is an AWS® Networking Competency and Security Quadrant® for Enterprise Network Firewalls
Competency Partner offering that enables customers to securely move production workloads onto AWS with • App visibility and control, regardless of
confidence that their applications and data are protected from cyberattacks. Complementing native AWS security port, helps reduce threat footprint
features, the VM-Series protects workloads with whitelisting policies based on applications and users and then
SELLING POINTS
prevents known and unknown threats within the application flows. Automation features enable security to be • Prevention of known and unknown threats
deployed at the speed of the cloud. within allowed apps
Customer Challenges • Control over file transfers by type and
app function
• Must embrace the Shared Responsibility Model – security for the applications and data are the customer’s
responsibility. • Automation features for “touchless”
firewall deployment and policy updates
• Lack complete visibility into the applications running in their AWS deployment.
• Central management of physical and
• Need to protect their AWS environments from known and unknown threats, whether inbound or moving
virtualized firewalls for policy consistency
laterally, while preventing data exfiltration.
• Scalable security with Auto Scaling integration
• Need central management for policy consistency; must automate deployments to ensure security keeps
and Transit VPC support
pace with the cloud.
decisions C4
• Segmentation and application whitelisting aid data security and compliance Segmentation: Separate applications
FEATURES
• Multiple defenses block data exfiltration and unauthorized file transfers C4 Hybrid: Extend application
development onto AWS
• Centralized management delivers policy consistency
• Automation features help streamline deployments PN
VM-
• Auto Scaling and Transit VPC enable security at scale GlobalProtect: Extend policies
Series
GP
© 2018 Palo Alto Networks, Inc. | VM-Series vs. Fortigate-VM on AWS | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 1
VM-SERIES VS. FORTIGATE–VM ON AWS
FEATURE COMPARISON MATRIX
• High availability: VM-Series leverages native AWS services to support both traditional
active/passive and Auto Scaling HA. FortiGate-VM relies on worker node, manual con-
figuration and invocation of scripts for HA and has no health check mechanism for the Feature VM-Series (8.1) FortiGate-VM (6.0)
script or node, leading to a possibility of a single point of failure, thereby defeating the
purpose of having HA to secure production workloads. Bootstrapping with Multi-NIC Yes No
• Bootstrapping: VM-Series can be bootstrapped with multiple NICs along with Panorama™
HOW TO COMPETE
registration and full configuration. It simplifies VM-Series Zero Trust deployment and is Active/Passive Worker node
a key feature for automation. FortiGate-VM can be bootstrapped with only a single NIC and native with scripts for
High availability implementation
and has no provision for FortiManager® registration. Customers will have to manually cloud services both HA and
add more interfaces for segmentation, and this limitation will impede the ability for for Auto Scaling Auto Scaling
rapid, fully configured FortiGate-VM deployments with central management. Custom metrics of firewall for
Eight Two
• Transit VPC: Palo Alto Networks Transit VPC template has a built-in provision to scale CloudWatch monitoring
automatically as the number of subscribing VPCs reach a threshold. Fortinet® has no s caling
consideration for subscribing VPCs, so customers will have to manually track the resource Predictable performance with
Yes No
utilization of FortiGate-VMs and intervene to spin up a new set of firewalls for additional all features enabled
VPCs.
Detect and prevent application
• CloudWatch metrics: VM-Series can publish eight different native PAN-OS® metrics to Yes No
port-hopping
AWS CloudWatch, which gives customers more flexibility to scale in dynamic environ-
ments. FortiGate-VMs can only publish two FortiOS™ (concurrent sessions and session
Prevent credential theft Yes No
setup rate) metrics to AWS CloudWatch, limiting customer’s scaling options.
© 2018 Palo Alto Networks, Inc. | VM-Series vs. Fortigate-VM on AWS | Confidential and Proprietary Information: For internal use and authorized partners under NDA with Palo Alto Networks only. 2