KB ID 0001741
Replacing Cisco
If you’ve been following articles on the site you will know that the focus of the firewall related output is shifting from Cisco ASA / Cisco FirePOWER to Fortinet (FortiGate) firewalls.
This article is so you can make an informed choice about what you want to replace your Cisco firewall with.
Note: I’m starting with SOHO and Small Business sized firewalls, but I will extend this to ‘Enterprise sized’ firewalls as I have the time.
Replacing Cisco SOHO Small Business Firewalls with FortiGate
If ever there was something that was incorrectly sold it was likely a SOHO Cisco firewall. The problem was, back in the day of the ASA5505 the only alternative was a ASA5510 and that was four times the price, plus the 5505 had a built in switch which saved you having to buy one of those as well. Even now (in 2021) these things are ubiquitous, I see them balanced in wall mounted comms cabinets, and sat in data centres and popped under peoples desks.
To make matters worse it’s replacement the ASA5506-X was a decent firewall but it wasn’t also a switch! (Cisco half heartedly tried to fix this and made it worse). To add insult to injury if you paid for the NGFW Firepower option Cisco just disabled it without warning in version 9.10.(1).
Then we got the FPR1010 this comes in two flavours, the ASA Code version which I deploy, and the FDM version which is bobbins! (I get 10 questions a day on the site to help people set them up). This (at time of writing) is a relatively new firewall but I’ll include it for completeness, (and article longevity).
High Availability: Seriously? I see this more often than I should! Don’t be deploying home sized firewalls and wanting Enterprise solutions! Stop it now. On a serous note, all the little ASA/FPR support it, but they all need additional licensing to do so.
Stats: Remember when comparing the stats, we are comparing (mostly) old hardware against brand new (purpose built) hardware so the FortiGates will always look better on paper.
Cisco ASA5505, 5506-X and FPR1010 Specifications
Fortigate 40F, 60F, and 80F Specifications
Replacing Cisco SOHO Firewalls Conclusion
- Unless you need 10Gb connectivity (on your WAN) then go for the 60F, if you need all those 1Gb ports and you want it to function as a switch.
- If you don’t need so many LAN ports then go for the 40F (Note: even with 1x WAN port you can deploy SDWAN by using another interface!)
Replacing Cisco Medium Business / Small enterprise Firewalls with FortiGate
This is a difficult one to call, you can’t really say FortiGate model X is a direct comparison for Cisco model Y. To size a FortiGate firewall you need to
First: Decide what throughput you need (remember to factor in NGFW/IDS/ATP and possibly HTTPS Throughput this will be LOWER than the max throughput!)
Second: Decide what connectivity you want.
FortiGate throughput for these classes of firewalls falls into roughly three different categories;
- 10Gbps Throughput (1Gbps HTTPS Inspection throughput) to 27Gbps Throughput (4Gbps HTTPS throughput) = 100 and 200 Series.
- 32Gbps Throughput (3.9Gbps HTTPS Inspection throughput) to 36Gbps Throughput (5.7Gbps HTTPS throughput) = 300, 400 and 500 Series.
- 36Gbps Throughput (8Gbps HTTPS Inspection throughput) to 52Gbps Throughput (3.9Gbps HTTPS throughput) = 600, 800 and 900 Series.
Note: If the figures dont overlap neatly, thats because these are a mixture of D, E and F Releases.
Cisco ASA5500 and 5500-X Specifications
Cisco Firepower 1100 to 2100 Series Specifications
Fortigate 100 to 900 Series Specifications
Replacing Cisco Bonuses
- Remote VPN: You don’t need to buy additional remote VPN (AnyConnect) licences any more. With FortiGate remote SSL VPN is built in, and the client numbers are impressive.
- Failover: Is supported even for Active / Active and good old Active / Passive. and Clustering.
- SDWAN: You now have this capability if you require it.
- Redundant Power Supply: Is on all FortiGate models in this class.
If anyone wants to add any real world experiences or comments, please do so below.
Related Articles, References, Credits, or External Links
NA
Thank you for this, great article! Switching to Forinet or Meraki for several customers.
I’ve had it with firepower and will be looking to add Fortinet as an offering for clients. The amount of energy and time spent working with firepower is just too much. Shouldn’t be this hard.
Great overview above and very helpful. Probably pick up a low end unit to get familiar.
Hello,
I would like to arrange an upgrade between: nr. 1 ASA 5525-FPWR-K9 configured to manage : VPN IP-SEC site2site to about 50 points of sale. On the points of sale there are Cisco routers with mobile backup that communicate in vpn to the customer. I would like to set up a technology swap with n. 2 firewalls suitable in active/passive. The customer has 100M dedicated fiber. I would like to arrange the upgrade with Fortigate40F are correct for this use ?
The 40F is quite a small SOHO firewall compared to the 5525-X? Other than that, I cant see why it would not work.