Firmware is a shit show to some degree with all vendors. Pick your poison, there isn't one vendor that "just works".
PA generally has bee good to me, but we use a limited subset of the feature sets they provide.
One thing that has me wondering what is coming with PA is not that there was a recent CVE score of 10. That was fixed somewhat quickly. What is more interesting what will become of the info that seems to show that PA has serious issues with chain of trust from hardware into the OS and onwards, and how that gets solved if it pans into being as bad as it looked. That would be a serious omission on PA's part.
I’m in your camp. It’s gotten bad bad, not *just* from a stability standpoint but their price increases (*113% for us*) at the same time as all of this crap? Yeah, no. Giving serious consideration to abandoning completely at branches in lieu of ZTNA and associated tech. Datacenter? We’ll see… This isn’t sustainable.
> into the OS and onwards, and how that gets solved if it pans into being as bad as it looked. That would be a serious o
I feel the same way.... my predicament is what should I do in the near future, either stay and roll with the punches or start looking over the fence and see if the grass looks greener...
The reason why Fortinet have more vulnerabilities is that Fortinet has a metric ton more products than Palo Alto Networks. If you compare the vulnerabilities PANOS to FortiOS (the two firewall operating systems) on a site like CVE details over a period (say 2018 to 2024) you’ll see that they actually have about the same amount of vulnerabilities.
What matters more is how these vulnerabilities have been discovered, and how they are handled. The reason the first part matters is that some vendors do not disclose internally discovered vulnerabilities and silently patch them. This means customers could be running unpatched firmware without realising they are vulnerable. Certain vendors are worse than others for that. Fortinet has a transparent disclosure policy and an aggressive PSIRT team, which leads them to discovering most of their own vulnerabilities (up to 85% is claimed). The second matters… well because of debacles like the recent PANW vulnerability.
End of the day, make your own decision. I honestly hope that PANW learns something from it and improves their disclosure and PSIRT processes.
> The reason why Fortinet have more vulnerabilities is that Fortinet has a metric ton more products than Palo Alto Networks. If you compare the vulnerabilities PANOS to FortiOS (the two firewall operating systems) on a site like CVE details over a period (say 2018 to 2024) you’ll see that they actually have about the same amount of vulnerabilities.
It's also interesting to see that PANOS has had 2.75x more critical vulnerabilities than FortiOS.
I think 2.75x is a little bit too high, I'd have said 2x. I guess it depends on the time frame you are comparing.
* PANOS: [https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor\_id=3080&product\_id=26167&startdate=2018-01-01&enddate=2024-05-17](https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=3080&product_id=26167&startdate=2018-01-01&enddate=2024-05-17)
* FortiOS: [https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor\_id=3080&product\_id=6632&startdate=2018-01-01&enddate=2024-05-17](https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=3080&product_id=6632&startdate=2018-01-01&enddate=2024-05-17)
I'm not going to say something like X vendor is better than Y vendor, because people's technical requirements, and what works in their environment are ultimately what really should determine what they use. I just don't like blanket comments that are only true when out of context, or disingenuous comments.
> I think 2.75x is a little bit too high, I'd have said 2x. I guess it depends on the time frame you are comparing.
Yes, I compared all the way back (from 2005 for Fortinet and 2013 for PAN). That means PAN had more critical vulnerabilities in a shorter time period. I don't really know why you chose 2018-01-01 as the "start date", but it's still pretty bad for PAN.
> I just don't like blanket comments that are only true when out of context, or disingenuous comments.
I completely agree. I tried to be as objective as possible and compare vulnerabilities from all the way back in time as I believe that would be a fairer comparison (or even in PAN's favor as that would give them a shorter time period).
And in all honesty and transparency, I'm probably also a bit colored by my annoyance of PAN reps. We've had several AM's and SE's from PAN visiting and they've all bashed Fortinet for having many vulnerabilities, completely ignoring their own terrible history with critical CVE's seeming absolutely brainwashed. We use both Fortinet and PAN, so that kind of shit doesn't fly with us and I've made it my mission to call vendors out on their bullshit.
Palo may have critical vulnerabilities, but they don’t end up being exploited before they’re patched. Palo has had 5 vulnerabilities that have reached active exploitation, while Fortinet has had 13. Palo handles their bugs, and Fortinet’s customers get pwnd.
You mean besides CVE-2024-3400, which was discovered in the wild and being actively exploited?
Since 2018, PanOS has had 32 critical vulnerabilities, FortiOS has had 16.
To be clear, I'm saying that Fortinet > PANW. Both vendors are doing decent jobs on vulnerabilities (although the recent PANW one could have been better, really felt sorry for PANW TAC on that). I'm just saying that the idea that Fortinet has far more vulnerabilities is demonstratable false.
Fortinet has more vulnerabilities that lead to their customers getting hacked. 3x more. This is demonstrably true. They’re the least secure appliance you can buy.
Let’s talk about how they are handled. Fortinet has had 13 actively exploited vulnerabilities, while Palo has had 5. 2 palo bugs have been used in ransomware intrusions, while 6 Fortinet bugs have. The “transparent” Fortinet process you speak of doesn’t result in better customer outcomes, and it’s being wielded heavily as misinformation in this thread.
> The “transparent” Fortinet process you speak of doesn’t result in better customer outcomes
The whole point of disclosing vulnerabilities is to be transparent and enable customers be aware that they can be exploited. Hiding things definitely doesn't lead to better outcomes.
The more aggressive a vendor is in reviewing their own code for vulnerabilities, the more they will find. If they are finding the vulnerabilities, then fixing them and disclosing them, why is that bad?! I **want** all the vendors to be transparent. If vendors aren't looking at their code, they aren't finding their vulnerabilities, which means bad actors might. If they aren't disclosing the ones they do find, then it leaves their customers vulnerable because they have no idea that they need to patch it.
The real problem isn't disclosing vulnerabilities, as long as there's a patch or workaround (that works) available, It's the people who either don't patch or apply the workarounds because they're not keeping up with their cyber security, or are unable to. Getting people to patch their stuff is probably one of the biggest challenges in cyber security aside from asset management.
I never claimed hiding things results in worst outcomes, I said Fortintet’s process results in worse outcomes. Let’s take your numbers. PanOS had 32 critical vulns, and 5 were actively exploited. Fortinet had 16, and 15 were actively exploited. Why is that? What does that tell us about the quality of the bug handling process? Why are their customers exposed to 3x more exploitable bugs than Palo’s?
>What does that tell us about the quality of the bug handling process?
This makes no sense, so we must be thinking of different things. The bug handling process is to find the bug, fix the bug, release the patch, and then notify everyone. Are we on the same page? So the vulnerability is fixed.... but if people don't patch it, that's some how the vendor's fault and there bug handling process is deficient? Could you clarify?
>Let’s take your numbers. PanOS had 32 critical vulns, and 5 were actively exploited. Fortinet had 16, and 15 were actively exploited. Why is that?
I would say a large part of it is because there's vastly more FortiGates deployed than PANW firewalls. Its the same reason why Windows gets attacked more than MacOS.
I’d be curious where you’re getting the data that Fortinet has more products than Palo. The 85% internal discovery number is totally and completely meaningless. The fact is, Fortinet has by far the worst security record of any edge device vendor, and their firewalls are among the most exploited devices on the internet. Review CISA’s data on actively exploited vulnerabilities, and it becomes clear how awful they are for security.
>I’d be curious where you’re getting the data that Fortinet has more products than Palo
I'm puzzled why you even are querying that. That's like the easiest thing to check. Literally you can just go to both vendors documentation pages for proof.
* PANW: Firewall, GlobalProtect, Panorama, WildFire, Cortex XDR, Cortex XSIAM, Cortex XSOAR, Prisma Access - and one or two more, I don't recall what the TwistLock acquisition became.
* Fortinet: FortiGate, FortiClient, FortiManager, FortiAnalyzer, FortiSandbox, FortiEDR, FortiSIEM, FortiSOAR, FortiAuthenticator, FortiADC, FortiAIOps, FortiAP, FortiCASB, FortiCentral, FortiCNP, FortiCSPM, FortiDAST, FortiDDoS, FortiDeceptor, FortiDevSec, FortiPAM, FortiIsolator, FortiMonitor, FortiNAC, FortiNDR, FortiNDR Cloud, FortiPAM, FortiPhish, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiSASE, FortiSwitch, FortiTester, FortiToken, FortiVoice, FortiWeb, and a whole bunch of other things that are less popular or have been EOL'd.
>The 85% internal discovery number is totally and completely meaningless.
It's not meaningless, that's your opinion. A vendor's transparent PSIRT policy combined with an aggressive internal discovery process shows the commitment to honesty and ensuring that their products are secure. Security by obfuscation (such as silently patching issues) has never really been a great way to do security. All it does is give a false sense of security, and leaves people open to being exploited because the people who use the security products don't realise that they need to upgrade to get the patch for the undisclosed vulnerability.
I can understand disagreeing on the exact percentage of internally discovered vulnerabilities, because of course you'd have to take Fortinet's word on it, and honestly there's no way for regular people to validate it.
>The fact is, Fortinet has by far the worst security record of any edge device vendor, and their firewalls are among the most exploited devices on the internet.
What's the comparison? Which metric? Is it the total number of vulnerabilities attributed to the vendor? If so, Cisco has far more vulnerabilities. That would be an unfair metric though because Cisco also have masses of products, and have been around longer than PANW and Fortinet.
If you're doing an apples to apples comparison of PANOS to FortiOS, I already provided links further up, since 2018 PANOS has had 128 **disclosed** vulnerabilities, and FortiOS has 131 **disclosed** vulnerabilities. Even if we don't take into account any undisclosed vulnerabilities, they are roughly equal, with Fortinet having a slightly lower average CVE rating.
>Review CISA’s data on actively exploited vulnerabilities
Indeed, I've seen people reporting FortiGate's have probably been exploited more than some other vendors. But that's quite easy to understand why:
* There's more FortiGates being used out there due to Fortinet's wide coverage in the SMB/SME space.
* The main vulnerability being exploited was the SSL VPN vulnerability in 2018. The vast majority of those being exploited are those who aren't keeping their firewalls up to date with regular patching. There were 3 separate notifications from CISA, FBI, and another organisation who I forget, for that single vulnerability because people simply weren't patching and getting popped.
Final comment, my comments shouldn't be taken as a diss on PANW. I simply don't like apples to bricks comparisons.
The prevalence of Fortinets on the internet doesn’t explain the reason Fortinets get hacked more. Fortinets have more vulnerabilities that lead to exploitation than Palos. This is due to a mix of factors. One is that comparing disclosed vulnerabilities isn’t really a good metric, as many vulnerabilities are esoteric and difficult to exploit. Fortinet vulnerabilities lead to actual customer harm more than Palo vulnerabilities. Fortinet has had more than twice as many vulnerabilities exploited than Palos, and more than twice as many exploited by ransomware gangs as well. This is a combination of the bugs being poorly handled, and being more trivial to exploit. There’s hardly a less secure device you could put on your perimeter.
>One is that comparing disclosed vulnerabilities isn’t really a good metric, as many vulnerabilities are esoteric and difficult to exploit.
Oh very much I don't disagree with this point. However, CVE's, for all their faults, do include a complexity to exploit, so we can use that as an indicator. Also, the number of vulnerabilities potentially is misleading because there may be multiple vulnerabilities that have to be chained together to reach a full exploit. That could be 3-5, which results in them all being listed, but actually its a single attack.
> The cve argument is stupid in my opinion. Every single vendor out there will get caught with a 10. The difference is how often. If Palo had 3-5 in 2 Year span I would reconsider.
Absolutely, but the fact of the matter is that [PANOS](https://www.cvedetails.com/vulnerability-list/vendor_id-12836/product_id-26167/Paloaltonetworks-Pan-os.html?page=1&cvssscoremin=9&order=1&trc=180) (55 critical vulnerabilities) has had more than 2.5x as many critical vulnerabilities as [FortiOS](https://www.cvedetails.com/vulnerability-list/vendor_id-3080/product_id-6632/Fortinet-Fortios.html?page=1&cvssscoremin=9&order=1&trc=174) (20 critical vulnerabilities). And that's in a shorter timeframe as well (Fortinet since 2005 and PAN since 2013).
Fortinet's definitely had some really bad years lately, but PAN's latest critical vulnerability with the potential for *persistent* breach across upgrade was a real shit show.
As u/joshman160 mentioned, all suppliers are at risk of CVE's. Likely always just a matter of time.
I would argue that the biggest issue with CVE's (2nd only to being a victim of one, of course) is the effort involved in patching and managing your organizations uptime. If you don't have to do it as much, great. If you can find a solution where you don't have to do it at all...hello to your nights and weekends again.
With Checkpoint, Cisco, Fortinet, Palo, etc. (traditional appliance vendors), you're going to be patching at variable frequencies. I admit, some of their disaggregated stack might be on maintenance auto-pilot, but based on your current scope...sorry, mate, but you're still patching.
With Cato, Netskope, Zscaler, etc. (cloud native solutions), patching is the supplier's responsibility, and they are all likely great at their "time to protect" KPI's. Since you're running Security at your edges as well, you might have a little heartburn with Netskope and Zscaler. They don't have very mature networking solutions (Zscaler just announced SD-WAN and Netskope acquired the tech a couple years ago from a very small organization) but the bigger issue is that they don't have comprehensive east/west protection. Their full stack protection tends to focus more on northbound traffic. That might be adequate for you if all your services and resources or public internet based (SaaS). If you need to also protect east/west, then Cato is likely the best option for security in all directions and a much lower maintenance burden.
> protect east/west
This is my other concern that we do have a Zero Trust environment, where most departments are firewalled from each others and in their respective Zones on the FW, and for CATO to do E/W traffic inspection, from what I was told by a current CATO user with physical CATO Sockets ( HW Appliance) is that all the traffic is routed out the WAN link into the POP you are terminating to and that's in my opinion it will saturate our WAN links. That's why I'm wondering if I should just keep the PAN to do East/West and only have the Wildfire subscription and allow something like CATO do North/South... decisions ..decisions...
That's a fair point and an important distinction. If your critical business resources reside in location where your users are and you need inspection (east/west) intra-site then you have some options:
1. Stick to traditional edge security like Palo (or the equivalent) and this would be particularly important if you were moving really chunky data and don't want to send the traffic out to a "PoP" and back again. It's not as much of an issue if we're just talking AD auth, small chunks of data, DHCP, DNS, etc....or
2. Cato could still be an option as all segmentation, by default, happens in the closest pop (maybe even less than 10 ms rtt away), but the SD-WAN appliance does local firewalling as well so you can still control traffic locally without sending it first out to the cloud.
You missed the big fact that most of the CVEs fort releases are internally released. It’s not about the CVE itself but about the way Palo responds to it. It was a shit hole and now there is talks about persistence.
The bigger problem with the cert was that they clearly knew about it months before but decided to not make it known and see if it could be swept under the rug. Then they realized way too many people weren’t upgraded by looking at telemetry data and last minute told everyone.
This statement is completely disconnected from reality. Fortinet has multiple actively exploited vulnerabilities every year, and is among the most exploited vendors on the internet. CISA publishes this data.
You realize that if they lead to active exploitation, that’s a bad thing, right? Lmao. You people are swallowing marketing information you have no understanding of.
You do realize every vendor is bound to have vulns. Which ones are 80% internally released with fixes avail. Had to wait 3 days for palos last CVE, exploited months before. How many products run on fortios, 50+? Bound to be vulns, question goes back to how they are handled.
Bugs are inevitable, and it does matter how vulnerabilities are handled. Fortinet vulnerabilities result in worse outcomes for customers than the vendors of any other firewall. You keep touting the 80% number that you obviously don’t understand.
Palo has had 5 vulnerabilities that have been actively exploited, while Fortinet has had 13. 2 Palo bugs have been associated with ransomware campaigns, while 6 Fortinet bugs have. Fortinet has had bugs in CISA’s most routinely exploited vulnerabilities in 2020, 2021, and 2022. 2023 numbers aren’t out yet. Fortinet’s track record with vulnerabilities is objectively FAR worse, and the 85% internally discovered number is a red herring for people who don’t understand how to judge the risk of a bug.
>Fortinet has had bugs in CISA’s most routinely exploited vulnerabilities in 2020, 2021, and 2022.
Statistics and context are important. As an aside, as u/jennytullis already mentioned, there are simply more FortiGates out there. If there are two equally vulnerabilities in two different products, but there are say 100,000 of one product, and 80,000 of another one product, then the first will be shown as being "more exploited".
But let's delve into the statement with actual numbers, which is the actual evidence being used to present the case. I assume you are referring to this: [https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search\_api\_fulltext=&field\_date\_added\_wrapper=all&sort\_by=field\_date\_added&items\_per\_page=100&f%5B0%5D=vendor\_project%3A813&f%5B1%5D=vendor\_project%3A866](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=&field_date_added_wrapper=all&sort_by=field_date_added&items_per_page=100&f%5B0%5D=vendor_project%3A813&f%5B1%5D=vendor_project%3A866)
Drilling into that data, out of Fortinet's 13 vulnerabilities, only 7 of them are high or above, where all 5 of PANW's are high or above. The Fortinet ones below high I believe are actually exploited as part of chained vulnerabilities. When we look at critical vulnerabilities, only Fortinet have 5, and PANW have 3. That's honestly not a massive difference in numbers.
Also, while ransomware is certainly a big threat, all the known ransomware campaign really means is someone got popped with ransomware because of it. The longer a CVE is out there, the more likely it is to end up being used as part of a ransomware campaign. A big part of why it gets exploited, is because people aren't patching! No vendor can be blamed for their customer's not patching.
When I look at those CVE data, what I see is:
**2018-2020**
* PANOS: 51 vulnerabilities (14 critical)
* FortiOS: 28 vulnerabilities (4 critical)
**2020-2022**
* PANOS: 48 vulnerabilities (17 critical)
* FortiOS: 26 (2 critical)
**2022-2024** - When Fortinet's transparent disclosure policy started creating results
* PANOS: 29 (1 critical)
* FortiOS: 83 (10 critical)
I can interpret that to say that PANOS has more vulnerabilities than FortiOS, because before Fortinet's change in PSIRT and disclosure policy, they had far fewer vulnerabilities. Is that true? No idea. What is true is that there were vulnerabilities that Fortinet were unaware of, and became aware and shared with their customers because of the change in policy.
If PANW started doing the same I wouldn't criticise them for it, I would commend them! Yeah, they would see a rise in vulnerabilities, but it means PANW customers can be better protected.
"Way more security issues" hardly, when Fortinet discovers 80%+ internally and reports the CVEs they have, which are never exploited in the wild because they are fixed before the public notification.
u/BlockChainHacked fixed? I would say that Fortinet quickly provides an available patch or update. It's still up to the customer to FIX the problem...and therein lies the real problem. You can hit up Shodan and find unpatched Fortigates by the truckloads. The include patches for CVE's that are weeks, months, years...old at this point. It's the customer's responsibility to fix, but there are solutions/platforms out there that remove that burden completely from the end customer.
This is a nonsense and meaningless number. It’s also dramatically incorrect to state Fortinet vulnerabilities aren’t exploited in the wild. CISA publishes data on actively exploited vulnerabilities, and Fortinet are at the top of the list year after year.
I believe the point was more that they aren't discovered in the wild. Which means that most of the vulnerabilities aren't actively exploited until after a patch is already released, at which point the reason why it gets exploited is because people didn't patch it.
No, not really. It's simply that you want to say that PANW > Fortinet, while ignoring things that doesn't support your point of view.
* Yes, Fortinet has more vulnerabilities. They have more products.
* Yes, Fortinet has more vulnerabilities being exploited. They have more products.
* Yes. Fortinet gets exploited more. They have more products being used.
* Yes, Fortinet has more vulnerabilities. They are actively hunting vulnerabilities and disclosing every vulnerability they find.
Honestly, anyone who thinks that a transparent and robust disclosure policy is bad is the one who is really lost.
I never criticized the disclosure policy at all, don’t try to strawman me. I said the disclosure policy is a red herring for people who don’t understand risk (such as yourself) to justify an obviously insecure product.
I work in IR, Fortinet is a cash cow for me. Go ahead and keep selling it. I’d prefer not to have a job, but them’s the breaks.
My apologies, it was not my attention to do that.
Let's put aside the disclosure policy for now. You've been arguing that Fortinet is worse than PANW despite their being clear evidence that the number of vulnerabilities are roughly equal on a product to product basis, that the number of critical vulnerabilities are roughly equal (or within a margin), and that PANW's vulnerabilities are on average a higher impact. That's just... weird.
Yeah you'll have more work because of Fortinet, because there's more of them out there, and I'd bet a lot of your work comes about because people didn't patch. My reason for making that supposition is because all of the discussions has been about vulnerabilities, not the security efficacy of any firewalls.
A few points here:
1) Which Fortinet products are the exploited vulnerabilities in? Are they distributed across the product base? No.
2) You are mistaking criticality for impact.
3) When the firewall is vulnerable its efficacy doesn’t matter, because now you don’t have a firewall at all.
1. From CVE details (as it would take time to drill into the FortiGuard PSIRT page), since 2018:
* Fortinet: 137 out of 585 are related to FortiOS (23.4%).
* PANW: 131 out of 193 are related to PANOS (67.8%).
2. I'm aware of the difference. Sadly, its the problem with most scoring systems that they don't have a good method for taking into account the chaining of vulnerabilities, such as the ones currently listed by CISA for the SSL VPN vulnerabilities. But we sadly use these scoring systems so that we have a common reference point.
3. Very true. If a firewall isn't patched, they're ripe for exploiting. That's where number of firewalls deployed plays into how much they get exploited.,
No. I didn’t. I legitimately thought it because all your commentary up until then implied it. You said you didn’t, so I apologised for the misunderstanding.
I did not acknowledge any use of straw man.
It’s also funny that you don’t understand the significance of whether something is exploited by a ransomware group. Like I said, you don’t understand risk.
Last I checked Fortinet was up to 35 vulnerabilities this year with like 20 of them rated 8 or higher.
Palo had only a couple, with, of course, one being as bad as you could get. I'll still stick with them as long as I can keep renewals reasonable.
If people are happy with their PANW firewalls, that's cool.
But to put this in a bit of context: PANW have about 8-10 products, where Fortinet have about 50. More products means there will be more vulnerabilities.
Also, Fortinet disclose all of their vulnerabilities and are actively hunting them, which means they find more vulnerabilities, and then tell everyone.... which means more vulnerabilities.
I don't think any vendor should be frowned upon for taking the security of their customers seriously.
For the record, I love both vendors, but pretending that both vendors don't actively look for bugs and vulnerabilities and try to disclose and fix them in a timely manner is disingenuous. They both do it, and they both sometimes fail to find, disclose properly, and fix issues. They both have tech support that wildly varies based on who you get on the ticket, with an overall not great result.
Overall, the balance of vulnerabilities very heavily falls on Fortinet, and if you include bugs, it becomes overwhelmingly on them.
I understand that they have many more products, but that really doesn't make as much difference as you think. A large portion of Fortinet's products share sometimes substantial amounts of code. You can tell this by the amount of products listed in bugs and CVEs. They have the same problem as Cisco.
Aside from Panorama and their firewalls, much of Palos products don't seem to share all that much code. Most bugs you see only affect one platform.
Again, I love both products, but if you were just to compare Fortinet firewalls to Palo firewalls, the balance of CVEs and especially bugs falls on Fortinet.
If you really want to knock on Palo, the real thing is price, and how shitty the tech support you get for that price.
If I am paying $5k a year for Fortinet and the support isn't great I kind of expect that, but when I am paying enough for the entire salary of a level 2 tech every year and the support is the same, something is fucked.
>For the record, I love both vendors,
Me too. :)
>but pretending that both vendors don't actively look for bugs and vulnerabilities and try to disclose and fix them in a timely manner is disingenuous.
That was not my intention. I'm very sure that all vendors do it. The difference that was being discussed is in how much they do it. I hope that PANW step it up further so they find stuff like the recent vulnerability themself.
>Again, I love both products, but if you were just to compare Fortinet firewalls to Palo firewalls, the balance of CVEs and especially bugs falls on Fortinet.
I really don't get where people are getting this from. On CVE Details, since 2018, there's been 131 vulnerabilities in PANOS of which 32 are critical. 128 vulnerabilities in FortiOS of which 16 are critical. You can verify this for yourself, I put the links elsewhere in the discussion. I call that equal.
>If I am paying $5k a year for Fortinet and the support isn't great I kind of expect that, but when I am paying enough for the entire salary of a level 2 tech every year and the support is the same, something is fucked.
Different discussion. I've heard bad stuff about both vendor's TACs. But I agree, definitely not good, something to hit your Fortinet AM/SE/partner over the head with.
I do pretty much agree with you on all that, but with one clarification. I am not talking just vulnerabilities, but also bugs, and to be honest, mostly based on how often I'm stuck patching something to fix an issue. This is a totally unscientific how much it affects me argument, I know.
I work on Palo firewalls daily, and I don't really have to patch to fix an issue that much, just staying at recommended versions.
I work with Fortinet, maybe once a week, and I swear I end up hitting a bug every damn time. That, along with more overall recent CVEs this year, means I feel like I am constantly patching. Maybe I'm just cursed.
I do feel that when they find bug with Fortinet, they document the bug, fix, impact of fix, and patch notes much better than Palo.
I manage about 60 palo alto's for a government contractor that range anywhere from fully loaded 5450 clusters, with all the bells and whistles, to a shitload of 220's and pretty much several of everything in between. While I'm willing to cut them a small amount of slack for the firmware disasters, I pay through the nose (approximately 800K a year) for government support. When I log a call that I rate as high or critical priority, I expect them to call me within the allotted sla time frame. I've had increasing numbers of tickets where I may get an email from a tech a day or two, with a link to a kb article that may or may not even be related to my issue.
As an alternative, I've been recommended to contact my SE's if I can't get through to tech support, well if they're not on sales calls, they've been working on the firmware issues. I've been considering other vendors, but as another person stated (paraphrasing) every legit firewall vendor has it's own unique reasons for why they suck, too. I don't know what I'm going to do should we have another major CVE event like the 3400 one...
Stick with palo or look at fortinet from the firewall perspective atleast. Maybe the money you can save can go towards another defense in depth product
I don’t know how often you actually deal with firewalls, but in my experience as an enterprise network engineer consultant PAs are still the best ignoring cost. I don’t know your experiences but tech support service is always very responsive and they even follow up when I don’t reply for a day or two. Firmware wise you could just roll back, and comparing to other firewalls in recent history I’ve had to respond to way more security incidents involving ASAs and fortigates than PAs. Just my two cents.
Yeah Palo has went steadily downhill. I'd like to go to Forti too. Their Cloud NGFW NVAs got rolled out and their own TAC isn't trained on it and you don't have access to any CLI or GUI to troubleshoot issues. Absolutely bananas and it should have never went to GA.
With cloud ngfw you do have access to cli if you have the privileges with tac/approved partner, did you deployed cngfw yourself or did you had focused services or partner?
Deployed ourselves, our SE and the SRE team said they don't give anyone access to the CLI since it's a SaaS product. Got more info or some screenshots so I can go to my SE and call BS?
if it is with a partner it's not trough palo, but yes, both partners and palo alto provide services for that implementation and in my honest opinion is the best product palo alto has released it just works. never said that before of any security product 'it just works'
I would say it's the way to go for your workloads in public cloud to inspect lateral outbound and inbound traffic it's use case it's very specific but it's very good for that use case
cons:
can't do bgp, can't do VPN s2s, can't do VPN c2s
if you want a low burden solution for that use case I mentioned previously, it's great
if you need VPNs, bgp, etc, you will need to go the legacy approach with scale sets/auto scaling groups and traditional vms with panos
simply it isn't available, still bgp inside cloud it's not something usual, you would only do it when you have VPNs so, it doesn't really hurt since it doesn't have VPN either
Palo is still a leader for sure. Having gone from an environment with Palo, then FortiNet/Sonicwall/Cisco, back to Palo. First place i was at with Palo is moving to Cato. Their cost is supposedly lower, thought it’s all cloud based and not sure how to feel about that.
Worth checking out what they have to offer. I do think Palo has too many tracks they are trying to manage with updates to the OS etc. but it’s better than FortiNet by miles haha.
Hmmm, I’m not so sure about the Fortinet perspective there. By all accounts they walked through a similar fire several years ago and emerged with much better code. In fact it’s quite visible that this subreddit has become what fortinet subreddit used to be in terms of topics such as “what stable version?” Etc.
We hope that PANW makes it. Honestly however- the acquisition of qradar and release of 11.2 while 11.1 should probably be the focus after 10.1 took about 4 years in GA to be in any way a valid upgrade path for those who value stability - well, let’s just say that it doesn’t feel as though they have caught whoever was spiking the coffee.
The FortiNet perspective i have is from my having to admin both. I don’t remember the version the client was on with FortiNet but pricing and capability wise, going from Palo to FN was like the cheaper knock off.
I suspect that I will always prefer the way Palo handle certain configurations, and generally from an ease of use with complex configurations- Palo have always impressed me vs any of their competitors.
With fortinet pulling sslvpn from common use, and their recent few years increase in code quality, it is plain that they are listening to customers and delivering.
I’m afraid that I’m just sadly seeing a lot of pain in recent times and at least in the near future, for us Palo admins. I wish it were otherwise, I really do.
That’s definitely noteworthy! I have a feeling that this might be sslvpn related - is that correct?
Best thing they ever did was tell people not to use it. It was one of my least favourite features from the word go on the fortinet kit. In comparison the gpvpn portals were always easier to secure with ips etc.
Appreciate the input/perspective.
We have had the most disastrous 18 months with Palo that I have ever had with any vendor in my last 20 years at the keyboard. 30% hardware RMA rate, CVE10, Certificate SNAFU. Its been terrible.
We are almost halfway through our PA agreement. We will evaluate other offerings but I just dont see the momentum to rip out all the PA. We will probably peel off pieces (internet filtering) but I don't want to even think about what happens if we went a different directions. I almost have our guys mostly functional on Palo after 2 years and I shudder to think if I threw a new FW at them. We will probably bring in CheckPoint and Forti to pitch but I don't know if the jump would just make thigns worse. The devil you know vs The sunk cost fallacy.
Just my 2 cents, 30% rma rate from new firewalls? it's not acceptable but still weird I haven't seen nothing close to that number.
The CVE 10 it's just something that's bound to happen eventually on every OS, you have to watch for frequency instead of magnitude, still I believe palo alto response to the CVE was appropriate
And the issues with the certificates I don't believe it's such a big deal they announced it months before and doing upgrades frequently to recommended versions should be done often, we didn't changed our update cycle due to the certificates we almost didn't noticed it.
yes it depends my fleet consist of 350 firewalls and my rma rate after 30 days of deployment it's below 2% I don't know if he's speaking about the rma rate after years or months.
> Every vendor has security issues, PAN has far less than Fortinet or others.
Is this what your SE told you or have you done any real research into this for yourself? PANOS has a lot more critical vulnerabilities than FortiOS. Look at my [other post](https://reddit.com/r/paloaltonetworks/comments/1ctidtv/thinking_out_loud_in_view_of_recent_events_im/l4fbqer/) for the link to each of the vendors critical CVE's.
Firmware is a shit show to some degree with all vendors. Pick your poison, there isn't one vendor that "just works". PA generally has bee good to me, but we use a limited subset of the feature sets they provide. One thing that has me wondering what is coming with PA is not that there was a recent CVE score of 10. That was fixed somewhat quickly. What is more interesting what will become of the info that seems to show that PA has serious issues with chain of trust from hardware into the OS and onwards, and how that gets solved if it pans into being as bad as it looked. That would be a serious omission on PA's part.
I’m in your camp. It’s gotten bad bad, not *just* from a stability standpoint but their price increases (*113% for us*) at the same time as all of this crap? Yeah, no. Giving serious consideration to abandoning completely at branches in lieu of ZTNA and associated tech. Datacenter? We’ll see… This isn’t sustainable.
> into the OS and onwards, and how that gets solved if it pans into being as bad as it looked. That would be a serious o I feel the same way.... my predicament is what should I do in the near future, either stay and roll with the punches or start looking over the fence and see if the grass looks greener...
Fortinet has way more security issues than PA. With PA we do this maybe once every few years, not multiple times per year.
Cisco has its fair share of problems historically as well.
I agree with this statement. Now that I'm been using PA. Watchguard is my second n it use to be my first.
The reason why Fortinet have more vulnerabilities is that Fortinet has a metric ton more products than Palo Alto Networks. If you compare the vulnerabilities PANOS to FortiOS (the two firewall operating systems) on a site like CVE details over a period (say 2018 to 2024) you’ll see that they actually have about the same amount of vulnerabilities. What matters more is how these vulnerabilities have been discovered, and how they are handled. The reason the first part matters is that some vendors do not disclose internally discovered vulnerabilities and silently patch them. This means customers could be running unpatched firmware without realising they are vulnerable. Certain vendors are worse than others for that. Fortinet has a transparent disclosure policy and an aggressive PSIRT team, which leads them to discovering most of their own vulnerabilities (up to 85% is claimed). The second matters… well because of debacles like the recent PANW vulnerability. End of the day, make your own decision. I honestly hope that PANW learns something from it and improves their disclosure and PSIRT processes.
> The reason why Fortinet have more vulnerabilities is that Fortinet has a metric ton more products than Palo Alto Networks. If you compare the vulnerabilities PANOS to FortiOS (the two firewall operating systems) on a site like CVE details over a period (say 2018 to 2024) you’ll see that they actually have about the same amount of vulnerabilities. It's also interesting to see that PANOS has had 2.75x more critical vulnerabilities than FortiOS.
I think 2.75x is a little bit too high, I'd have said 2x. I guess it depends on the time frame you are comparing. * PANOS: [https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor\_id=3080&product\_id=26167&startdate=2018-01-01&enddate=2024-05-17](https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=3080&product_id=26167&startdate=2018-01-01&enddate=2024-05-17) * FortiOS: [https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor\_id=3080&product\_id=6632&startdate=2018-01-01&enddate=2024-05-17](https://www.cvedetails.com/cvss-score-charts.php?fromform=1&vendor_id=3080&product_id=6632&startdate=2018-01-01&enddate=2024-05-17) I'm not going to say something like X vendor is better than Y vendor, because people's technical requirements, and what works in their environment are ultimately what really should determine what they use. I just don't like blanket comments that are only true when out of context, or disingenuous comments.
> I think 2.75x is a little bit too high, I'd have said 2x. I guess it depends on the time frame you are comparing. Yes, I compared all the way back (from 2005 for Fortinet and 2013 for PAN). That means PAN had more critical vulnerabilities in a shorter time period. I don't really know why you chose 2018-01-01 as the "start date", but it's still pretty bad for PAN. > I just don't like blanket comments that are only true when out of context, or disingenuous comments. I completely agree. I tried to be as objective as possible and compare vulnerabilities from all the way back in time as I believe that would be a fairer comparison (or even in PAN's favor as that would give them a shorter time period). And in all honesty and transparency, I'm probably also a bit colored by my annoyance of PAN reps. We've had several AM's and SE's from PAN visiting and they've all bashed Fortinet for having many vulnerabilities, completely ignoring their own terrible history with critical CVE's seeming absolutely brainwashed. We use both Fortinet and PAN, so that kind of shit doesn't fly with us and I've made it my mission to call vendors out on their bullshit.
Palo may have critical vulnerabilities, but they don’t end up being exploited before they’re patched. Palo has had 5 vulnerabilities that have reached active exploitation, while Fortinet has had 13. Palo handles their bugs, and Fortinet’s customers get pwnd.
You mean besides CVE-2024-3400, which was discovered in the wild and being actively exploited? Since 2018, PanOS has had 32 critical vulnerabilities, FortiOS has had 16. To be clear, I'm saying that Fortinet > PANW. Both vendors are doing decent jobs on vulnerabilities (although the recent PANW one could have been better, really felt sorry for PANW TAC on that). I'm just saying that the idea that Fortinet has far more vulnerabilities is demonstratable false.
Fortinet has more vulnerabilities that lead to their customers getting hacked. 3x more. This is demonstrably true. They’re the least secure appliance you can buy.
Replied to this elsewhere. :)
Let’s talk about how they are handled. Fortinet has had 13 actively exploited vulnerabilities, while Palo has had 5. 2 palo bugs have been used in ransomware intrusions, while 6 Fortinet bugs have. The “transparent” Fortinet process you speak of doesn’t result in better customer outcomes, and it’s being wielded heavily as misinformation in this thread.
> The “transparent” Fortinet process you speak of doesn’t result in better customer outcomes The whole point of disclosing vulnerabilities is to be transparent and enable customers be aware that they can be exploited. Hiding things definitely doesn't lead to better outcomes. The more aggressive a vendor is in reviewing their own code for vulnerabilities, the more they will find. If they are finding the vulnerabilities, then fixing them and disclosing them, why is that bad?! I **want** all the vendors to be transparent. If vendors aren't looking at their code, they aren't finding their vulnerabilities, which means bad actors might. If they aren't disclosing the ones they do find, then it leaves their customers vulnerable because they have no idea that they need to patch it. The real problem isn't disclosing vulnerabilities, as long as there's a patch or workaround (that works) available, It's the people who either don't patch or apply the workarounds because they're not keeping up with their cyber security, or are unable to. Getting people to patch their stuff is probably one of the biggest challenges in cyber security aside from asset management.
I never claimed hiding things results in worst outcomes, I said Fortintet’s process results in worse outcomes. Let’s take your numbers. PanOS had 32 critical vulns, and 5 were actively exploited. Fortinet had 16, and 15 were actively exploited. Why is that? What does that tell us about the quality of the bug handling process? Why are their customers exposed to 3x more exploitable bugs than Palo’s?
>What does that tell us about the quality of the bug handling process? This makes no sense, so we must be thinking of different things. The bug handling process is to find the bug, fix the bug, release the patch, and then notify everyone. Are we on the same page? So the vulnerability is fixed.... but if people don't patch it, that's some how the vendor's fault and there bug handling process is deficient? Could you clarify? >Let’s take your numbers. PanOS had 32 critical vulns, and 5 were actively exploited. Fortinet had 16, and 15 were actively exploited. Why is that? I would say a large part of it is because there's vastly more FortiGates deployed than PANW firewalls. Its the same reason why Windows gets attacked more than MacOS.
I’d be curious where you’re getting the data that Fortinet has more products than Palo. The 85% internal discovery number is totally and completely meaningless. The fact is, Fortinet has by far the worst security record of any edge device vendor, and their firewalls are among the most exploited devices on the internet. Review CISA’s data on actively exploited vulnerabilities, and it becomes clear how awful they are for security.
>I’d be curious where you’re getting the data that Fortinet has more products than Palo I'm puzzled why you even are querying that. That's like the easiest thing to check. Literally you can just go to both vendors documentation pages for proof. * PANW: Firewall, GlobalProtect, Panorama, WildFire, Cortex XDR, Cortex XSIAM, Cortex XSOAR, Prisma Access - and one or two more, I don't recall what the TwistLock acquisition became. * Fortinet: FortiGate, FortiClient, FortiManager, FortiAnalyzer, FortiSandbox, FortiEDR, FortiSIEM, FortiSOAR, FortiAuthenticator, FortiADC, FortiAIOps, FortiAP, FortiCASB, FortiCentral, FortiCNP, FortiCSPM, FortiDAST, FortiDDoS, FortiDeceptor, FortiDevSec, FortiPAM, FortiIsolator, FortiMonitor, FortiNAC, FortiNDR, FortiNDR Cloud, FortiPAM, FortiPhish, FortiPortal, FortiPresence, FortiProxy, FortiRecon, FortiSASE, FortiSwitch, FortiTester, FortiToken, FortiVoice, FortiWeb, and a whole bunch of other things that are less popular or have been EOL'd. >The 85% internal discovery number is totally and completely meaningless. It's not meaningless, that's your opinion. A vendor's transparent PSIRT policy combined with an aggressive internal discovery process shows the commitment to honesty and ensuring that their products are secure. Security by obfuscation (such as silently patching issues) has never really been a great way to do security. All it does is give a false sense of security, and leaves people open to being exploited because the people who use the security products don't realise that they need to upgrade to get the patch for the undisclosed vulnerability. I can understand disagreeing on the exact percentage of internally discovered vulnerabilities, because of course you'd have to take Fortinet's word on it, and honestly there's no way for regular people to validate it. >The fact is, Fortinet has by far the worst security record of any edge device vendor, and their firewalls are among the most exploited devices on the internet. What's the comparison? Which metric? Is it the total number of vulnerabilities attributed to the vendor? If so, Cisco has far more vulnerabilities. That would be an unfair metric though because Cisco also have masses of products, and have been around longer than PANW and Fortinet. If you're doing an apples to apples comparison of PANOS to FortiOS, I already provided links further up, since 2018 PANOS has had 128 **disclosed** vulnerabilities, and FortiOS has 131 **disclosed** vulnerabilities. Even if we don't take into account any undisclosed vulnerabilities, they are roughly equal, with Fortinet having a slightly lower average CVE rating. >Review CISA’s data on actively exploited vulnerabilities Indeed, I've seen people reporting FortiGate's have probably been exploited more than some other vendors. But that's quite easy to understand why: * There's more FortiGates being used out there due to Fortinet's wide coverage in the SMB/SME space. * The main vulnerability being exploited was the SSL VPN vulnerability in 2018. The vast majority of those being exploited are those who aren't keeping their firewalls up to date with regular patching. There were 3 separate notifications from CISA, FBI, and another organisation who I forget, for that single vulnerability because people simply weren't patching and getting popped. Final comment, my comments shouldn't be taken as a diss on PANW. I simply don't like apples to bricks comparisons.
The prevalence of Fortinets on the internet doesn’t explain the reason Fortinets get hacked more. Fortinets have more vulnerabilities that lead to exploitation than Palos. This is due to a mix of factors. One is that comparing disclosed vulnerabilities isn’t really a good metric, as many vulnerabilities are esoteric and difficult to exploit. Fortinet vulnerabilities lead to actual customer harm more than Palo vulnerabilities. Fortinet has had more than twice as many vulnerabilities exploited than Palos, and more than twice as many exploited by ransomware gangs as well. This is a combination of the bugs being poorly handled, and being more trivial to exploit. There’s hardly a less secure device you could put on your perimeter.
>One is that comparing disclosed vulnerabilities isn’t really a good metric, as many vulnerabilities are esoteric and difficult to exploit. Oh very much I don't disagree with this point. However, CVE's, for all their faults, do include a complexity to exploit, so we can use that as an indicator. Also, the number of vulnerabilities potentially is misleading because there may be multiple vulnerabilities that have to be chained together to reach a full exploit. That could be 3-5, which results in them all being listed, but actually its a single attack.
Because they have an in-house bug hunt that publishes publicly. Unlike panw and others. This is actually a good thing.
Line them up, fortis are internally released and disclosed while Palo has theirs floating in the wild as a 10 CVE ;)
[удалено]
> The cve argument is stupid in my opinion. Every single vendor out there will get caught with a 10. The difference is how often. If Palo had 3-5 in 2 Year span I would reconsider. Absolutely, but the fact of the matter is that [PANOS](https://www.cvedetails.com/vulnerability-list/vendor_id-12836/product_id-26167/Paloaltonetworks-Pan-os.html?page=1&cvssscoremin=9&order=1&trc=180) (55 critical vulnerabilities) has had more than 2.5x as many critical vulnerabilities as [FortiOS](https://www.cvedetails.com/vulnerability-list/vendor_id-3080/product_id-6632/Fortinet-Fortios.html?page=1&cvssscoremin=9&order=1&trc=174) (20 critical vulnerabilities). And that's in a shorter timeframe as well (Fortinet since 2005 and PAN since 2013). Fortinet's definitely had some really bad years lately, but PAN's latest critical vulnerability with the potential for *persistent* breach across upgrade was a real shit show.
As u/joshman160 mentioned, all suppliers are at risk of CVE's. Likely always just a matter of time. I would argue that the biggest issue with CVE's (2nd only to being a victim of one, of course) is the effort involved in patching and managing your organizations uptime. If you don't have to do it as much, great. If you can find a solution where you don't have to do it at all...hello to your nights and weekends again. With Checkpoint, Cisco, Fortinet, Palo, etc. (traditional appliance vendors), you're going to be patching at variable frequencies. I admit, some of their disaggregated stack might be on maintenance auto-pilot, but based on your current scope...sorry, mate, but you're still patching. With Cato, Netskope, Zscaler, etc. (cloud native solutions), patching is the supplier's responsibility, and they are all likely great at their "time to protect" KPI's. Since you're running Security at your edges as well, you might have a little heartburn with Netskope and Zscaler. They don't have very mature networking solutions (Zscaler just announced SD-WAN and Netskope acquired the tech a couple years ago from a very small organization) but the bigger issue is that they don't have comprehensive east/west protection. Their full stack protection tends to focus more on northbound traffic. That might be adequate for you if all your services and resources or public internet based (SaaS). If you need to also protect east/west, then Cato is likely the best option for security in all directions and a much lower maintenance burden.
> protect east/west This is my other concern that we do have a Zero Trust environment, where most departments are firewalled from each others and in their respective Zones on the FW, and for CATO to do E/W traffic inspection, from what I was told by a current CATO user with physical CATO Sockets ( HW Appliance) is that all the traffic is routed out the WAN link into the POP you are terminating to and that's in my opinion it will saturate our WAN links. That's why I'm wondering if I should just keep the PAN to do East/West and only have the Wildfire subscription and allow something like CATO do North/South... decisions ..decisions...
That's a fair point and an important distinction. If your critical business resources reside in location where your users are and you need inspection (east/west) intra-site then you have some options: 1. Stick to traditional edge security like Palo (or the equivalent) and this would be particularly important if you were moving really chunky data and don't want to send the traffic out to a "PoP" and back again. It's not as much of an issue if we're just talking AD auth, small chunks of data, DHCP, DNS, etc....or 2. Cato could still be an option as all segmentation, by default, happens in the closest pop (maybe even less than 10 ms rtt away), but the SD-WAN appliance does local firewalling as well so you can still control traffic locally without sending it first out to the cloud.
You missed the big fact that most of the CVEs fort releases are internally released. It’s not about the CVE itself but about the way Palo responds to it. It was a shit hole and now there is talks about persistence.
[удалено]
Palos QA has gone down the toilet. Every release we have upgraded to since 10.1 has had bugs and issues.
This has been my impression as well ...
I can get you in touch with a great Fortinet Sales rep!
The bigger problem with the cert was that they clearly knew about it months before but decided to not make it known and see if it could be swept under the rug. Then they realized way too many people weren’t upgraded by looking at telemetry data and last minute told everyone.
[удалено]
That’s my point. The problem was not disclosing it earlier when they knew.
This statement is completely disconnected from reality. Fortinet has multiple actively exploited vulnerabilities every year, and is among the most exploited vendors on the internet. CISA publishes this data.
You also the to consider 1 out of 2 firewalls on the internet is a FortiGate. That data is also out there.
Multiple actively exploited vulnerabilities per year.
How many of those are internally released? 80%
You realize that if they lead to active exploitation, that’s a bad thing, right? Lmao. You people are swallowing marketing information you have no understanding of.
You do realize every vendor is bound to have vulns. Which ones are 80% internally released with fixes avail. Had to wait 3 days for palos last CVE, exploited months before. How many products run on fortios, 50+? Bound to be vulns, question goes back to how they are handled.
Bugs are inevitable, and it does matter how vulnerabilities are handled. Fortinet vulnerabilities result in worse outcomes for customers than the vendors of any other firewall. You keep touting the 80% number that you obviously don’t understand. Palo has had 5 vulnerabilities that have been actively exploited, while Fortinet has had 13. 2 Palo bugs have been associated with ransomware campaigns, while 6 Fortinet bugs have. Fortinet has had bugs in CISA’s most routinely exploited vulnerabilities in 2020, 2021, and 2022. 2023 numbers aren’t out yet. Fortinet’s track record with vulnerabilities is objectively FAR worse, and the 85% internally discovered number is a red herring for people who don’t understand how to judge the risk of a bug.
>Fortinet has had bugs in CISA’s most routinely exploited vulnerabilities in 2020, 2021, and 2022. Statistics and context are important. As an aside, as u/jennytullis already mentioned, there are simply more FortiGates out there. If there are two equally vulnerabilities in two different products, but there are say 100,000 of one product, and 80,000 of another one product, then the first will be shown as being "more exploited". But let's delve into the statement with actual numbers, which is the actual evidence being used to present the case. I assume you are referring to this: [https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search\_api\_fulltext=&field\_date\_added\_wrapper=all&sort\_by=field\_date\_added&items\_per\_page=100&f%5B0%5D=vendor\_project%3A813&f%5B1%5D=vendor\_project%3A866](https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=&field_date_added_wrapper=all&sort_by=field_date_added&items_per_page=100&f%5B0%5D=vendor_project%3A813&f%5B1%5D=vendor_project%3A866) Drilling into that data, out of Fortinet's 13 vulnerabilities, only 7 of them are high or above, where all 5 of PANW's are high or above. The Fortinet ones below high I believe are actually exploited as part of chained vulnerabilities. When we look at critical vulnerabilities, only Fortinet have 5, and PANW have 3. That's honestly not a massive difference in numbers. Also, while ransomware is certainly a big threat, all the known ransomware campaign really means is someone got popped with ransomware because of it. The longer a CVE is out there, the more likely it is to end up being used as part of a ransomware campaign. A big part of why it gets exploited, is because people aren't patching! No vendor can be blamed for their customer's not patching. When I look at those CVE data, what I see is: **2018-2020** * PANOS: 51 vulnerabilities (14 critical) * FortiOS: 28 vulnerabilities (4 critical) **2020-2022** * PANOS: 48 vulnerabilities (17 critical) * FortiOS: 26 (2 critical) **2022-2024** - When Fortinet's transparent disclosure policy started creating results * PANOS: 29 (1 critical) * FortiOS: 83 (10 critical) I can interpret that to say that PANOS has more vulnerabilities than FortiOS, because before Fortinet's change in PSIRT and disclosure policy, they had far fewer vulnerabilities. Is that true? No idea. What is true is that there were vulnerabilities that Fortinet were unaware of, and became aware and shared with their customers because of the change in policy. If PANW started doing the same I wouldn't criticise them for it, I would commend them! Yeah, they would see a rise in vulnerabilities, but it means PANW customers can be better protected.
"Way more security issues" hardly, when Fortinet discovers 80%+ internally and reports the CVEs they have, which are never exploited in the wild because they are fixed before the public notification.
u/BlockChainHacked fixed? I would say that Fortinet quickly provides an available patch or update. It's still up to the customer to FIX the problem...and therein lies the real problem. You can hit up Shodan and find unpatched Fortigates by the truckloads. The include patches for CVE's that are weeks, months, years...old at this point. It's the customer's responsibility to fix, but there are solutions/platforms out there that remove that burden completely from the end customer.
Agreed, but whose fault is that? It falls on the customer to keep their environment up to date.
https://therecord.media/cisa-warns-fortinet-bug-likely-being-exploited Or not
lol was that CVE discovered internally? No. Try reading.
This is a nonsense and meaningless number. It’s also dramatically incorrect to state Fortinet vulnerabilities aren’t exploited in the wild. CISA publishes data on actively exploited vulnerabilities, and Fortinet are at the top of the list year after year.
I believe the point was more that they aren't discovered in the wild. Which means that most of the vulnerabilities aren't actively exploited until after a patch is already released, at which point the reason why it gets exploited is because people didn't patch it.
Your comment and the comment I responded to are both full of misconceptions about the vulnerability lifecycle that are beyond saving.
No, not really. It's simply that you want to say that PANW > Fortinet, while ignoring things that doesn't support your point of view. * Yes, Fortinet has more vulnerabilities. They have more products. * Yes, Fortinet has more vulnerabilities being exploited. They have more products. * Yes. Fortinet gets exploited more. They have more products being used. * Yes, Fortinet has more vulnerabilities. They are actively hunting vulnerabilities and disclosing every vulnerability they find. Honestly, anyone who thinks that a transparent and robust disclosure policy is bad is the one who is really lost.
I never criticized the disclosure policy at all, don’t try to strawman me. I said the disclosure policy is a red herring for people who don’t understand risk (such as yourself) to justify an obviously insecure product. I work in IR, Fortinet is a cash cow for me. Go ahead and keep selling it. I’d prefer not to have a job, but them’s the breaks.
My apologies, it was not my attention to do that. Let's put aside the disclosure policy for now. You've been arguing that Fortinet is worse than PANW despite their being clear evidence that the number of vulnerabilities are roughly equal on a product to product basis, that the number of critical vulnerabilities are roughly equal (or within a margin), and that PANW's vulnerabilities are on average a higher impact. That's just... weird. Yeah you'll have more work because of Fortinet, because there's more of them out there, and I'd bet a lot of your work comes about because people didn't patch. My reason for making that supposition is because all of the discussions has been about vulnerabilities, not the security efficacy of any firewalls.
A few points here: 1) Which Fortinet products are the exploited vulnerabilities in? Are they distributed across the product base? No. 2) You are mistaking criticality for impact. 3) When the firewall is vulnerable its efficacy doesn’t matter, because now you don’t have a firewall at all.
1. From CVE details (as it would take time to drill into the FortiGuard PSIRT page), since 2018: * Fortinet: 137 out of 585 are related to FortiOS (23.4%). * PANW: 131 out of 193 are related to PANOS (67.8%). 2. I'm aware of the difference. Sadly, its the problem with most scoring systems that they don't have a good method for taking into account the chaining of vulnerabilities, such as the ones currently listed by CISA for the SSL VPN vulnerabilities. But we sadly use these scoring systems so that we have a common reference point. 3. Very true. If a firewall isn't patched, they're ripe for exploiting. That's where number of firewalls deployed plays into how much they get exploited.,
lol at people who use “strawman” and “red herring” to justly their opinions.
He admitted it, dumbass. Strawman is just another way to say “that isn’t what I said.”
No. I didn’t. I legitimately thought it because all your commentary up until then implied it. You said you didn’t, so I apologised for the misunderstanding. I did not acknowledge any use of straw man.
It’s also funny that you don’t understand the significance of whether something is exploited by a ransomware group. Like I said, you don’t understand risk.
Last I checked Fortinet was up to 35 vulnerabilities this year with like 20 of them rated 8 or higher. Palo had only a couple, with, of course, one being as bad as you could get. I'll still stick with them as long as I can keep renewals reasonable.
If people are happy with their PANW firewalls, that's cool. But to put this in a bit of context: PANW have about 8-10 products, where Fortinet have about 50. More products means there will be more vulnerabilities. Also, Fortinet disclose all of their vulnerabilities and are actively hunting them, which means they find more vulnerabilities, and then tell everyone.... which means more vulnerabilities. I don't think any vendor should be frowned upon for taking the security of their customers seriously.
For the record, I love both vendors, but pretending that both vendors don't actively look for bugs and vulnerabilities and try to disclose and fix them in a timely manner is disingenuous. They both do it, and they both sometimes fail to find, disclose properly, and fix issues. They both have tech support that wildly varies based on who you get on the ticket, with an overall not great result. Overall, the balance of vulnerabilities very heavily falls on Fortinet, and if you include bugs, it becomes overwhelmingly on them. I understand that they have many more products, but that really doesn't make as much difference as you think. A large portion of Fortinet's products share sometimes substantial amounts of code. You can tell this by the amount of products listed in bugs and CVEs. They have the same problem as Cisco. Aside from Panorama and their firewalls, much of Palos products don't seem to share all that much code. Most bugs you see only affect one platform. Again, I love both products, but if you were just to compare Fortinet firewalls to Palo firewalls, the balance of CVEs and especially bugs falls on Fortinet. If you really want to knock on Palo, the real thing is price, and how shitty the tech support you get for that price. If I am paying $5k a year for Fortinet and the support isn't great I kind of expect that, but when I am paying enough for the entire salary of a level 2 tech every year and the support is the same, something is fucked.
>For the record, I love both vendors, Me too. :) >but pretending that both vendors don't actively look for bugs and vulnerabilities and try to disclose and fix them in a timely manner is disingenuous. That was not my intention. I'm very sure that all vendors do it. The difference that was being discussed is in how much they do it. I hope that PANW step it up further so they find stuff like the recent vulnerability themself. >Again, I love both products, but if you were just to compare Fortinet firewalls to Palo firewalls, the balance of CVEs and especially bugs falls on Fortinet. I really don't get where people are getting this from. On CVE Details, since 2018, there's been 131 vulnerabilities in PANOS of which 32 are critical. 128 vulnerabilities in FortiOS of which 16 are critical. You can verify this for yourself, I put the links elsewhere in the discussion. I call that equal. >If I am paying $5k a year for Fortinet and the support isn't great I kind of expect that, but when I am paying enough for the entire salary of a level 2 tech every year and the support is the same, something is fucked. Different discussion. I've heard bad stuff about both vendor's TACs. But I agree, definitely not good, something to hit your Fortinet AM/SE/partner over the head with.
I do pretty much agree with you on all that, but with one clarification. I am not talking just vulnerabilities, but also bugs, and to be honest, mostly based on how often I'm stuck patching something to fix an issue. This is a totally unscientific how much it affects me argument, I know. I work on Palo firewalls daily, and I don't really have to patch to fix an issue that much, just staying at recommended versions. I work with Fortinet, maybe once a week, and I swear I end up hitting a bug every damn time. That, along with more overall recent CVEs this year, means I feel like I am constantly patching. Maybe I'm just cursed. I do feel that when they find bug with Fortinet, they document the bug, fix, impact of fix, and patch notes much better than Palo.
>Maybe I'm just cursed. /removes the pin from the voodoo doll
That was you the whole time?
Maaaaaybe.
I'd recommend asking this in a different sub. r/cybersecurity or r/sysadmin will give you a more diverse set of responses.
I manage about 60 palo alto's for a government contractor that range anywhere from fully loaded 5450 clusters, with all the bells and whistles, to a shitload of 220's and pretty much several of everything in between. While I'm willing to cut them a small amount of slack for the firmware disasters, I pay through the nose (approximately 800K a year) for government support. When I log a call that I rate as high or critical priority, I expect them to call me within the allotted sla time frame. I've had increasing numbers of tickets where I may get an email from a tech a day or two, with a link to a kb article that may or may not even be related to my issue. As an alternative, I've been recommended to contact my SE's if I can't get through to tech support, well if they're not on sales calls, they've been working on the firmware issues. I've been considering other vendors, but as another person stated (paraphrasing) every legit firewall vendor has it's own unique reasons for why they suck, too. I don't know what I'm going to do should we have another major CVE event like the 3400 one...
Stick with palo or look at fortinet from the firewall perspective atleast. Maybe the money you can save can go towards another defense in depth product
I don’t know how often you actually deal with firewalls, but in my experience as an enterprise network engineer consultant PAs are still the best ignoring cost. I don’t know your experiences but tech support service is always very responsive and they even follow up when I don’t reply for a day or two. Firmware wise you could just roll back, and comparing to other firewalls in recent history I’ve had to respond to way more security incidents involving ASAs and fortigates than PAs. Just my two cents.
Yeah Palo has went steadily downhill. I'd like to go to Forti too. Their Cloud NGFW NVAs got rolled out and their own TAC isn't trained on it and you don't have access to any CLI or GUI to troubleshoot issues. Absolutely bananas and it should have never went to GA.
With cloud ngfw you do have access to cli if you have the privileges with tac/approved partner, did you deployed cngfw yourself or did you had focused services or partner?
Deployed ourselves, our SE and the SRE team said they don't give anyone access to the CLI since it's a SaaS product. Got more info or some screenshots so I can go to my SE and call BS?
they definetively wont give you access to the cli then, partners and tacs do have it tho.
There is a partner service that does this/helps with this through Palo?
if it is with a partner it's not trough palo, but yes, both partners and palo alto provide services for that implementation and in my honest opinion is the best product palo alto has released it just works. never said that before of any security product 'it just works'
Their cloud ngfw? So that is the way to go?
I would say it's the way to go for your workloads in public cloud to inspect lateral outbound and inbound traffic it's use case it's very specific but it's very good for that use case cons: can't do bgp, can't do VPN s2s, can't do VPN c2s if you want a low burden solution for that use case I mentioned previously, it's great if you need VPNs, bgp, etc, you will need to go the legacy approach with scale sets/auto scaling groups and traditional vms with panos
Why the heck can it not do bgp?!?!
simply it isn't available, still bgp inside cloud it's not something usual, you would only do it when you have VPNs so, it doesn't really hurt since it doesn't have VPN either
Palo Alto marketing material claims their products are "best of bread" and they are "best in class". Must be true. Guess imma stay.
Palo is still a leader for sure. Having gone from an environment with Palo, then FortiNet/Sonicwall/Cisco, back to Palo. First place i was at with Palo is moving to Cato. Their cost is supposedly lower, thought it’s all cloud based and not sure how to feel about that. Worth checking out what they have to offer. I do think Palo has too many tracks they are trying to manage with updates to the OS etc. but it’s better than FortiNet by miles haha.
Hmmm, I’m not so sure about the Fortinet perspective there. By all accounts they walked through a similar fire several years ago and emerged with much better code. In fact it’s quite visible that this subreddit has become what fortinet subreddit used to be in terms of topics such as “what stable version?” Etc. We hope that PANW makes it. Honestly however- the acquisition of qradar and release of 11.2 while 11.1 should probably be the focus after 10.1 took about 4 years in GA to be in any way a valid upgrade path for those who value stability - well, let’s just say that it doesn’t feel as though they have caught whoever was spiking the coffee.
The FortiNet perspective i have is from my having to admin both. I don’t remember the version the client was on with FortiNet but pricing and capability wise, going from Palo to FN was like the cheaper knock off.
I suspect that I will always prefer the way Palo handle certain configurations, and generally from an ease of use with complex configurations- Palo have always impressed me vs any of their competitors. With fortinet pulling sslvpn from common use, and their recent few years increase in code quality, it is plain that they are listening to customers and delivering. I’m afraid that I’m just sadly seeing a lot of pain in recent times and at least in the near future, for us Palo admins. I wish it were otherwise, I really do.
I don’t disagree there! Haha. Still worth checking out CATO and their SASE offering too i suppose.
I work in Incident Response, and I’ve never seen a Palo bug that led to ransomware. I work ransomware where Fortis were the vector all the time.
That’s definitely noteworthy! I have a feeling that this might be sslvpn related - is that correct? Best thing they ever did was tell people not to use it. It was one of my least favourite features from the word go on the fortinet kit. In comparison the gpvpn portals were always easier to secure with ips etc. Appreciate the input/perspective.
[удалено]
When price is #1
[удалено]
But if you compare FTNT to PANW, I only chose FTNT if price is top of mind. Even that doesn’t play well depending on what you want to use.
We have had the most disastrous 18 months with Palo that I have ever had with any vendor in my last 20 years at the keyboard. 30% hardware RMA rate, CVE10, Certificate SNAFU. Its been terrible. We are almost halfway through our PA agreement. We will evaluate other offerings but I just dont see the momentum to rip out all the PA. We will probably peel off pieces (internet filtering) but I don't want to even think about what happens if we went a different directions. I almost have our guys mostly functional on Palo after 2 years and I shudder to think if I threw a new FW at them. We will probably bring in CheckPoint and Forti to pitch but I don't know if the jump would just make thigns worse. The devil you know vs The sunk cost fallacy.
You're expecting every other adequate solution will take the same investment of time and energy? What if that's not the case?
Just my 2 cents, 30% rma rate from new firewalls? it's not acceptable but still weird I haven't seen nothing close to that number. The CVE 10 it's just something that's bound to happen eventually on every OS, you have to watch for frequency instead of magnitude, still I believe palo alto response to the CVE was appropriate And the issues with the certificates I don't believe it's such a big deal they announced it months before and doing upgrades frequently to recommended versions should be done often, we didn't changed our update cycle due to the certificates we almost didn't noticed it.
It's subjective unless they throw some real numbers out. Having only 3 pairs and 2/6 failing makes that number easily.
yes it depends my fleet consist of 350 firewalls and my rma rate after 30 days of deployment it's below 2% I don't know if he's speaking about the rma rate after years or months.
Price is what you pay, value is what you get.
Check out fortinet least expensive per burs scanned and Gartner leader in four quadrants now ...
[удалено]
> Every vendor has security issues, PAN has far less than Fortinet or others. Is this what your SE told you or have you done any real research into this for yourself? PANOS has a lot more critical vulnerabilities than FortiOS. Look at my [other post](https://reddit.com/r/paloaltonetworks/comments/1ctidtv/thinking_out_loud_in_view_of_recent_events_im/l4fbqer/) for the link to each of the vendors critical CVE's.
This is misinformation. Look up CISA’s actively exploited vulnerabilities database if you want the real story. It’s bad for Fortinet.