Part#2: NGFW Desktop Models Feature Comparison.

Palo Alto Networks, Fortinet, Checkpoint..

Welcome back!!. This article is Part#2 of a series to cover the below aspects of the top three hardware NGFW vendors namely Palo Alto Networks, Fortinet and Checkpoint. If you have missed reading the Part#1 of this series, click on Part#1 link below.

1. Hardware Configuration (Part #1).

2. Networking/Security Features (Part #2).

3. Performance Numbers (Part #3).

4. Architecture and Comparative analysis (Part#4)

The scope of this article is on the product offerings in Desktop form factor from each vendor in Branch/Retail segment. Note: Ruggedized Desktop model is skipped.

Palo Alto Networks (PAN)

The PA-400 Series, comprising the PA-410, PA-415, PA-440, PA-445, PA-450, and PA-460, bring ML-Powered NGFW capabilities. PAN is in leader quadrant consistently in Gartner, Forrester reports for several years.

Below is a brief highlight of the key security and connectivity features offered:

1. ML-Powered NGFW

   1. Inline signatureless attack prevention for file-based and phishing attacks.

   2. Cloud-based ML processes to push zero-delay signatures and instructions

   3. Behavioral analysis to detect IoT devices and make policy suggestions.

2. Identifies All Applications, on All Ports, All the Time, with Full L7 Inspection

   1. Identifies the applications irrespective of port, protocol, evasive techniques, or encryption (TLS/SSL);

   2. Uses the application, not the port, as the basis for all your safe enablement policy decisions: allow, deny, schedule, inspect, and apply traffic-shaping.

   3. Ability to create custom App-ID tags for proprietary applications or request App-ID development for new applications from PAN.

3. Security for Users at Any Location, on Any Device, While Adapting Policy Based on User Activity

   1. Applies consistent policies and authenticates/authorizes users irrespective of user location and devices.

   2. Provides dynamic security actions based on user behavior to restrict suspicious or malicious users.

   3. Prevents credentials leaks & reuse of stolen credentials by enabling multifactor authentication (MFA) at the network layer of any application.

4. Prevents Malicious Activity Concealed in Encrypted Traffic

   1. Inspects and applies policy to TLS/SSL-encrypted traffic, both inbound and outbound, including for traffic that uses TLS 1.3 and HTTP/2.

   2. Offers rich visibility into TLS traffic, such as amount of encrypted traffic, TLS/SSL versions, cipher suites, and more, without decrypting.

   3. Enables control over use of legacy TLS protocols, insecure ciphers, and misconfigured certificates to mitigate risks.

5. Centralized Management and Visibility

   1. Panorama provides centralized management, configuration, and visibility for multiple distributed NGFWs.

   2. Streamlines configuration sharing through Panorama with templates and device groups and scales log collection as logging needs increase.

   3. Application Command Center (ACC), to obtain deep visibility and comprehensive insights into network traffic and threats

6. AIOps

   1. Intelligently predicts firewall health, performance, and capacity problems based on ML powered by advanced telemetry data. It also provides actionable insights to resolve the predicted disruptions.

   2. AIOps for NGFW delivers continuous best practice recommendations customized to your unique deployment to strengthen your security posture and get the most out of your security investment

7. Enables SD-WAN Functionality

8. Unique Single-Pass Parallel Processing (SP3) Architecture

   1. Performs networking, policy lookup, application and decoding, and signature matching—for all threats and content—in a single pass. This significantly reduces the amount of processing overhead required to perform multiple functions in one security device.

   2. Avoids introducing latency by scanning traffic for all signatures in a single pass, using stream based, uniform signature matching.

   3. Enables consistent and predictable performance when security subscriptions are enabled.

      

Below is a snapshot of network and security features supported:

Fortinet

FORTINET is a leader in both Gartner and Forrester magic quadrant for both NGFW and SD-WAN capabilities.

1. FortiOS

   1. FortiOS enables the convergence of high performing networking and security.

   2. FortiOS can be deployed anywhere, it delivers consistent and

      context-aware security posture across network, endpoint, and multi-cloud environments.

   3. FortiOS powers all deployments physical/virtual/container/cloud service.

   4. FortiOS expands the Fortinet Security Fabric’s ability to deliver the below

      1. Advanced AI/ML powered services,

      2. inline advanced sandbox detection,

      3. integrated ZTNA enforcement, and more.

      4. It provides protection across hybrid deployment models for hardware, software, and Software-as-a-Service with SASE.

   5. FortiOS expands visibility and control, ensures the consistent deployment and enforcement of a simplified, single policy and management framework. Its security policies enable centralized management across large-scale networks

2. FortiConverter Service

   1. FortiConverter Service provides hassle-free migration to help organizations transition from a wide range of legacy firewalls to FortiGate Next-Generation Firewalls quickly and easily.

3. FortiGuard Services

   1. FortiGuard AI-Powered Security

      1. FortiGuard’s rich suite of security services counter threats in real time using AI-powered, coordinated protection designed by FortiGuard Labs security threat researchers, engineers, and forensic specialists.

   2. Web Security

      1. Advanced cloud-delivered URL, DNS (Domain Name System), and Video Filtering providing complete protection for phishing and other web born attacks while meeting compliance

   3. Content Security

      1. Advanced content security technologies enable the detection and prevention of known and unknown threats and file-based attack tactics in real-time. With capabilities like CPRL (Compact Pattern Recognition Language), AV, inline Sandbox, and lateral movement protection

         make it a complete solution to address ransomware, malware, and credential-based attacks

   4. Device Security

      1. Monitor and protect IT, IIoT, and OT (Operational Technology) devices against vulnerability and device-based attack tactics.

      2. Its validated near-real-time IPS intelligence detects, and blocks known and zero-day threats, provides deep visibility and control into ICS/OT/SCADA protocols, and provides automated discovery, segmentation, and pattern identification-based policies.

4. Security Processing Unit (SPU), ASIC Advantage

   

   1. Fortinet’s custom SPU processors deliver the power you need—up to 520Gbps— to detect emerging threats and block malicious content while ensuring your network security solution does not become a performance bottleneck.

   2. Secure SD-WAN ASIC SOC4

      1. Combines a RISC-based CPU with Fortinet’s proprietary Security Processing Unit (SPU) content and network processors for unmatched performance.

      2. Accelerates IPsec VPN performance for best user experience on direct internet access.

      3. Enables best of breed NGFW Security and Deep SSL Inspection with high performance.

5. Centralized management for networking and security, automation, deep analytics, and self-healing.

   1. Interactive drill-down and topology viewers that display real-time status.

   2. On-click remediation for accurate and quick protection against threats and abuses.

   3. Unique threat score system correlates weighted threats with users to prioritize investigations.

Checkpoint

Check is also a consistent leader in top analyst firms Gartner/Forrester. The Quantum Spark 1500 Pro NGFWs are the industry’s first firewalls with integrated AI ML security and cutting-edge Wi-Fi 6 with 5G cellular. SD-WAN provides faster Internet connectivity, application performance, and maximum uptime. Managing Quantum Spark firewalls is easy via an intuitive web interface and a mobile management app.

1. Comprehensive, Industry-Leading Security

   1. Site-to-Site, Remote Access VPN

   2. Application Control and Web Filtering

   3. Intrusion Prevention

   4. Antivirus and Anti-Bot

   5. Anti-Spam Email Security

   6. SandBlast Threat Emulation (sandboxing)

2. Wired, Wi-Fi 6, and Wi-Fi 6 with 5G Models

   1. Dual SIM single standby (DSSS)

   2. 5G antennas: 1x main, 2x MIMO, 1x Auxillary

   3. Global coverage

3. Cloud Management

   Quantum Spark cloud management enables service providers to provision security efficiently across all Check Point products and services from the Infinity Portal. Unified logs and dashboards enables Managed Service Providers to manage hundreds of thousands of Quantum Spark firewalls for their small and medium business customers so they can focus on growing their own business.

4. Security Management App

   The intuitive mobile app provides real-time monitoring of network events, alerts you when your network is at risk, enables you to quickly block security threats, and configure the security policy for multiple gateways.

   

Below is the snapshot of networking/security features supports on Desktop models

Summary

Common Features:

1. Firewall Capabilities: All three vendors offer firewall functionality, which forms the core of their NGFW solutions, providing network traffic filtering and access control.

2. Intrusion Prevention System (IPS): PAN, Fortinet, and Check Point include IPS features to detect and prevent network-based attacks and exploits.

3. VPN (Virtual Private Network): VPN capabilities are provided by all three vendors, allowing secure remote access and site-to-site connectivity.

4. Centralized Management: PAN, Fortinet, and Check Point offer centralized management platforms that enable administrators to configure and monitor NGFW deployments from a single interface.

Differentiating Features:

1. Advanced Threat Protection: PAN and Check Point are known for their advanced threat detection and prevention capabilities, offering features such as sandboxing, threat intelligence, and behavioral analysis. Fortinet also provides comprehensive security features but focuses more on unified threat management (UTM) functionality.

2. Application Visibility and Control: PAN is recognized for its granular application-level visibility and control, allowing administrators to define policies based on specific applications and users. Fortinet and Check Point also offer application control features but may have variations in their level of granularity.

3. SSL Decryption: PAN and Fortinet provide SSL decryption capabilities, allowing inspection of encrypted traffic for better threat detection and prevention. Check Point also supports SSL decryption but may have limitations depending on the model.

4. Integrated SD-WAN Functionality: Fortinet is known for its integration of SD-WAN capabilities within its NGFW solutions, allowing organizations to consolidate security and wide area network (WAN) connectivity in a single device.

5. Sandboxing and Advanced Threat Emulation: Check Point's SandBlast technology includes advanced threat emulation and extraction techniques to detect and prevent zero-day and unknown threats. PAN and Fortinet may offer similar sandboxing features but with their own implementation approaches.

References and Credits

1. Official websites and datasheets of Palo Alto Networks, Fortinet and Checkpoint

2. Analysis of feature differentiation help from chatGPT.