Fortigate 80F v Sophos XG125 IPSec Remote Access

Fortinet has better appliances, far more then Sophos XGS line. Sophos has better sales process . I left this kind of discussions 20 years ago. Now it is about money. 

There's no way to disagree with you. It's all about money now.

It still needs a truckload of features to be on par with its competitors, but I like to be fair and I don't consider the test as equal.

The XG hardware is quite old, compared to the Fortigate 80F, which is from 2022. This XG should be between 2015 and 2018, not in the 2020s.

To be fairer, it should be with the XGS series, which has hardware acceleration for IPsec, which the XG series doesn't have.

So BrushTech , with the XGS hardware the metrics certainly change, I just can't tell you how much of an improvement, but I can say that it's better than the XG.

It is overall opinion I have. I wasn't referring to particular models nor this comparation. 

So is it fair to say that the XGS126 is on par (in theory) with the Fortigate 80F,  VPN throughput wise?
The XG125 rev3 is old, so is the web interface more responsive on the XGS hardware?
Fortigate's web interface is fast and has an insane number of add-ons/features (all requiring licensing).
That being said, we use Sophos Intercept X Endpoint and the interop between endpoint, firewall and Sophos Central is pretty awesome...

Thanks!

The thing is, Fortinet uses there Chip for IPsec, Sophos could do that too, but only the XGS Hardware has a IPsec capable chip. 

But overall it is always difficult to compare performance via iperf. Because iperf is highly reliant on MTU. 
As far as i know, fortinet uses a dynamic MTU approach, which meets a dynamic MTU, leading to a better "theoretical" performance with iperf. 

Iperf and an encryption component like SSLVPN and IPsec needs to encrypt each and every packet, which leds to the point of "if you cut the total amount of data to X or Y packets, it matters!" - Therefore you will see differences in terms of MTU of 1400 vs 1472 etc. 

So to speak, most people use SSLVPN for Remote Access - As the flexibility compared to the "Port500 could be blocked" situation in IPsec made SSLVPN more used in the field. 

Thanks for replying.

I did notice that the MTU was different (1372 vs 1400) between the two vendors and could not figure out how to "tune" the sophos IPSec MTU. Found it interesting that the TAP adapter MTU was 1500 but the actual IPSec connection was 1400.

None the less, you said that Sophos should use the chip like Fortinet since the XGS hardware has the chip as well. Is the operative word "should" to mean that they do not but could possibly in the future? Is it to mean that they do with the appropriate settings?

XGS hardware already supports IPSec offload feature (which is enabled by default) which offloads the IPSec datapath to the NPU.

My comment above was based on the fact, you are using a XG, not a XGS. Your Hardware is roughly X Years old. Fortigate80F is released 2021. 

Hello,

we use both vendors (and some others) at differnet sites of our customers. So I can speak out of own experience here.

Big difference is in licensing: Fortinet VPN Client cost for each user and is not perpetual.

XGS Hardware makes a huge difference in performance compared to old XG series.

Fortinet have a lot of hardware power even in the "small" appliances.

PhilippRusch said:

Big difference is in licensing: Fortinet VPN Client cost for each user and is not perpetual.

https://docs.fortinet.com/document/forticlient/7.4.0/administration-guide/269675
there is something free and it is on same level as Sophos I think.

I know there is plan to add some kind of management for Sophos VPN client but I don't know if it is out yet.