COMPETITIVE BATTLECARD

Palo Alto Networks Challenges

Lacks market penetration beyond
Fortinet vs. Palo Alto Networks the enterprise and recognition in
the other Gartner MQ
Market Research & Analysis Falls short in performance
Limited Application Visibility
Selecting the right product is important. Gartner, IDC, & NSS Labs has Total Cost of Ownership is not
provided market research for security. Gartner provides market competitive in the market
research on its customers. NSS Labs provides third-party security lab
validation with the same test methodology on the competitors
models. IDC & Infonetics provides the growth and contraction rates
with the competitors.

In the Gartner Magic Quadrant for Enterprise Firewall (2015) and Unified Threat Management, Fortinet is in
both research and ranks #1 and top 3 vendors. Gartner validates Fortinets growth in the enterprise,
recommends us to the vendors shortlist, and acknowledges that Fortinet is a significant threat to
competitors.

Gartner mentioned its clients report Palo Alto Networks direct sales and resellers being overly optimistic about
the performance. Also, the clients complaints received regarding Palo Alto Networks usually relates to
management console issues and scale. This confirms suspicions that PAN cannot scale into large global
accounts. Fortinet can provide cyber-security protection to customers in both Gartner MQ.

Fortinet Partner Confidential

competitive@fortinet.com
COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

In the IDC research, it provides overall market growth in the different price bands. Fortinet has grown in the
data center, enterprise, and distributed branch/ retail segments. Fortinet continues to outpace other
competitors in this market segment. In the Infonetics Research, Fortinet is a top security vendor for the Data
Center segment.

Fortinets revenue of each segment is fairly balanced with entry, mid-range, and high-
end models at 37%, 26%, and 37%, respectively. Palo Alto Networks is focused in the
mid-enterprise markets. The product revenue shows Fortinets ability to execute and
service these different customer market segments. In the high-end, customers are
requiring high-performance security. In both the high-end and mid-range, these
customers are looking for best of breed and NGFW. The entry-level requires more
consolidated and cost-effective security appliances.

Slow Is Broken Performance Matters

There are a few architectures for security. There is the software-based architecture, which relies on a general
CPU, and it tends to have performance issues. Using a CPU, with other off the shelf silicon, which offloads
some of the security tasks, to increase performance is another approach. However, merchant chip vendors
are not close to enough to the end customer to obtain feedback to improve its silicon.

PAN has challenges with its Single Pass Architecture, because it only scans
based on stream based, which has a number of limitations. It lacks not
support a wide range of compression file types malware uses to propagate.
PAN uses DSRI to increase performance in one-way scanning, but the
performance dramatically drops with bi-directional scanning is enabled. PAN
relies heavily on the hash antivirus signatures to make its detection. This can
lead to a high number of false positives and performance issue. PANs
architecture sacrifices performance and security in business networks, which
leads to negative business continuity and uptime.

Another approach is designing ASIC architecture, integrating, software, and

security updates from its research team and 3rd party. Fortinet is a security
innovator and we have taken the approach of designing our FortiASIC
architecture, which provides Optimum Path Processing, which

2

COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

delivers predictable high performance, ultra-low latency, port density, acceleration of content security
compared to any competitor in the market.

It allows Fortinet to penetrate the different market segments for the network.

As a result of the different architecture, Fortinet delivers more performance, capacity, and session ramp up to
the Palo Alto Networks price band model. Palo Alto is known to attempt to oversize its appliances in order to
make it appear it can handle the performance. PAN has Disable Server Response Inspection (DSRI), which
increases performance but only scans one direction.

The Fortinet Technical Marketing group conducted performance test on the Palo Alto PA 5060 and found
shocking performance issues. The test report called Competitive Edge against Palo Alto Networks provides
the details on the testing configuration and results. The report can be located at, https://goo.gl/nkUUgc

Fortinet Partner Confidential

competitive@fortinet.com
COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

Complexity is the Enemy of Security

Security Effectiveness is critical in all businesses because the threat landscape

continues to be extremely dynamic, and customers should demand best of
breed results. Without independent third-party security lab, validation and low
scoring security effectiveness can lead to malware taking advantage of OSes,
application, and device exploits. It can be costly exposure and clean up to a
business.

Palo Alto has taken a Pay to Play performance testing for its PA 7050. The
testing methodology does not provide real world performance. The report can
be found at https://goo.gl/hJn8j5

Next Generation Firewall

As the firewall refresh continues, application visibility and control for
applications, users, and devices has been critical for enterprise market
segment. Programs are needed to help customers to evaluate better NGFW into the enterprise and data
center segments.

FortiGate 3200D Tested

Best of Breed Security
Earned a NSS Labs NGFW
Recommend Status
99.6% Security Effectiveness
19.2 Gbps NSS Tested
performance
Better TCO than any of the
competitors than Palo Alto
Networks

COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

4

 FortiGate 1500D Tested
Best of Breed Security
Earned a NSS Labs NGFW
Recommend Status
99.2% Security Effectiveness
11.7 Gbps NSS Tested
performance
Better TCO than any of the
competitors than Palo Alto
Networks

Fortinet can be deployed inline or in transparent mode. We do have a Cyber Threat Assessment Program,
which provides an evaluation unit and visibility to applications, threats, and users for customers PoC. For more
information, email ctap@fortinet.com.

Network visibility has become critical in the enterprise to provide protection and productivity. On the FortiGate,
the FortiView provides visibility to applications, users, devices, and threats. Fortinet supports and optimized
with over 3,300 application signatures, and the visibility continues to grow. Customers can create custom
application signatures for their in-house application development. It is easy to deploy a FortiGate with feature
rich visibility.

PAN has the Application Command Center (ACC), which provides network visibility with a limited number of
application signatures, which leaves the customer blind to unknown traffic.

COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

Fortinet Partner Confidential
competitive@fortinet.com
Palo Alto Networks has the Application Visibility Report (AVR) & Enterprise Risk Report (ERR). In the
evaluation, PAN has its appliance configured in TAP mode and disables TCP state checking. It is providing
network visibility, but dont be fooled, it is not inline, and it is not providing any security protection. In the
proof of concept (PoC), customers should deploy it inline. In customer engagements, there have been issues
in false positives, performance, and weird behavior to the PAN appliance.

Unified Threat Management

Unified Threat Management provides

consolidation of firewall, VPN, Intrusion
Prevention, App Control, Antimalware, URL
Filtering, Antispam, Wireless Controller, WAN
Optimization, and other network & security
functionality into a single platform.

Fortinet innovated this market segment. In

this segment, customers are demanding
consolidated security, high performance,
simplified management, and total cost of
ownership. Fortinet is the only security
vendor, which vertically integrates the silicon,
system, and software with its threat updates
deliver by the FortiGuard Threat Research
team.

Fortinet offers a full wireless solution by

providing integrating the Wireless Controller
and offering a wide range of access points.
In addition, there is an RF site management
and wireless retail analytics for managing
access points and integrating into a retail
environment.

PAN lacks security innovation in the Unified Threat Management, which addresses the distributed enterprise
and retail branch. PAN is missing a number of consolidated security functionalities. PAN does not offer full
wireless or WAN optimization solution for the SMB, branch, and retail distributed locations.

Total Cost of Ownership

In comparing to the FortiGate(s), there are a number of different models, which address the different customer
and vertical markets. In the high end, there are virtualization & performance requirements, while the entry level
markets have consolidated security, ease of use, and cost sensitive. The enterprise is deploying on best of
breed security products and is less cost sensitive. The competitive cross-matrix provides a guidance between
the Fortinet and Palo Alto Networks models.

COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

6

In the Service Provider segment, they are providing services to their customers, which requires high
performance, virtualization, and availability.

There are different models variants, a la carte security subscription, and support packages for the different
vendors. In the Service Provider Comparison, it compares the FortiGate 5000 series to the Palo Alto Networks
PA 7050. The Fortinet FortiGate 5000 series delivers close to 10x performance compared to the PA 7050. In
addition, it has the next generation of network connectivity for 100G, 40G, and density 10G interface. Palo
Alto Networks does not support the 100G or 40G. The PA 7050 has not made in roads to the service
providers; because of the performance issues and the $1.3M U.S list price for a 120Gbps firewall, which does
not perform at the datasheet specification in real-world deployments. PAN had commissioned Network Test
for a performance report on its configuration of the PA 7050. The PA 7050 network processing cards (NPC)
are based upon the PA 5060 appliance, with some small improvements. Each NPC would have similar
performance behaviors as a PA 5060 appliance.

COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

Fortinet Partner Confidential

competitive@fortinet.com
In the Data Center and Enterprise, is where more of the competitive engagements exist with Fortinet and Palo
Alto Networks. The only 10G I/O products are the PA 3060, 5050, and 5060. Without 40G I/O, PAN does not
support next generation network connectivity for the data center. PAN will attempt to enable DSRI to increase
performance to 10Gbps, but it is only scanning in one direction. PAN has attempted to place the PA 7050
series into these Data Center and Enterprise deployment. There has been performance testing on the PA
5060, which shows performance at 2.2 Gbps versus the 20 Gbps performance on PANs datasheet. Lastly,
the Network World product review of the PA 5060 has the SSL performance at 986 Mbps.

There is the Enterprise and Mid Enterprise segments, which have dedicated security administrators and are
interested in best of breed Next Generation Firewall with advanced threat protection. Fortinet would
compete with the Palo Alto PA 3000 and 5000 series. The PA-4000 (4020, 4050, & 4060) series has been
End of Life (EOL). The PA 3060, 5050, and 5060 has 2x 10G network connectivity, which are not able to
provide line rate.

COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

In the distributed enterprise, there are a number of requirements, which ranges from consolidated security,
Unified Threat Management, integrated wireless, 3G/4G support, PoE, ease of use, management, and other
features. Palo Alto is missing a number of consolidated security, networking, and wireless requirements.
Fortinet provides variants to accommodate the different requirements with the retail, branch office, and
distributed enterprise.

COMPETITIVE BATTLECARD: Fortinet vs. Palo Alto Networks

Fortinet Partner Confidential

competitive@fortinet.com
Fortinet 5 Key Advantages
1. Seamless: Consistent threat posture end-to-end, across the expanding attack surface.
2. Intelligent: Threat intelligence and advanced threat protection from the inside out for full visibility and
control.
3. Powerful: Get unrivaled network performance for today and the power to take on the future.
4. Cyber Threat Assessment Program (CTAP) provides a low touch assessment for threats, applications
and users visibility. Send your inquiry to ctap@fortinet.com.

Resources
Fortinet Next Generation Firewall (NGFW) and Advanced Threat Protection (ATP) Overview PowerPoint,
https://www.myfortinet.com/Tag.aspx?tid=93
Fortinet Data Center PowerPoint Overview, https://www.myfortinet.com/Tag.aspx?tid=94
Competitive Inquiry, competitive@fortinet.com
Demonstration of competitive security effectiveness SecurityEffectivenessDemo@fortinet.com
Customer Reference Program, CRP@fortinet.com
Online Competitive Database, https://competitive.myfortinet.com
Competitive Edge against Palo Alto PA 5060, https://goo.gl/nkUUgc
Network World Test Review Palo Alto PA 5060, http://goo.gl/IEjYge
o UTM performance at 108 Mbps
o SSL performance at 986 Mbps
Pay to Play Testing PA 7050 Test Report, https://goo.gl/hJn8j5
Palo Alto Network Disable Server Response Inspection (DSRI)
Fortinet Cyber Threat Assessment Program, ctap@fortinet.com
NSS Labs NGIPS 2015
o Test Report on the FortiGate 1500D, http://goo.gl/CUA5EU
NSS Labs NGFW 2014 Security Value Map, http://goo.gl/KmiTCX
o FortiGate 3600C, http://goo.gl/KmiTCX
o Palo Alto failed the test.
Palo Alto Networks IPS evasion DEMO, NSS Labs, https://goo.gl/yChFQN
Palo Alto Networks IPS Evasion By After NSS Labs Patch 6.05H3
o https://goo.gl/DcPVH8
Gartner Magic Quadrant for
o Enterprise Firewall 2015, http://www.gartner.com/technology/reprints.do?id=1-2CGLBR6&ct=150327&st=sb
o Unified Threat Management 2014, http://goo.gl/aCF1lY

10