Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 14 replies
  • Subscribers 43 subscribers
  • Views 3316 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fortigate 80F v Sophos XG125 IPSec Remote Access

BrushTech

With my license renewal fast approaching and my XG125 rev3 EOL I am at a cross roads as to which vendor I should move forward with. Out of pure frustration, I got my hands on a Fortigate 80F to compare SSLVPN and IPSecVPN remote access throughput. I setup the VPN's using the same config or as close as possible (encryption, DH) and used the respective vendor's VPN client. The results are as follows and I'm completely dumbfounded...Is the 80F just a bigger firewall but spec wise inline with XG125 rev3 or is it the client or what?!?!?!

Firewall(s) ISP: 1Gbps/1Gbps fiber
Remote ISP: 750 Gbps/750 Gbps
Sophos SSL: iperf3 between 150Mbps & 170Mbps
Fortigate SSL: iperf3 between 150Mbps & 170Mbps
Sopho IPSec: iperf3 between 50Mbps & 62Mbps
Fortigate IPSec: iperf3 between 385Mbps & 500Mbps

Thanks for looking at this post!



This thread was automatically locked due to age.
  • 0

    Fortinet has better appliances, far more then Sophos XGS line. Sophos has better sales process Innocent. I left this kind of discussions 20 years ago. Now it is about money. 

  • 0 in reply to damiri

    There's no way to disagree with you. It's all about money now.

    It still needs a truckload of features to be on par with its competitors, but I like to be fair and I don't consider the test as equal.

    The XG hardware is quite old, compared to the Fortigate 80F, which is from 2022. This XG should be between 2015 and 2018, not in the 2020s.

    To be fairer, it should be with the XGS series, which has hardware acceleration for IPsec, which the XG series doesn't have.

    So  , with the XGS hardware the metrics certainly change, I just can't tell you how much of an improvement, but I can say that it's better than the XG.


  • 0 in reply to Gib GoDesk

    It is overall opinion I have. I wasn't referring to particular models nor this comparation. 

  • 0

    So is it fair to say that the XGS126 is on par (in theory) with the Fortigate 80F,  VPN throughput wise?
    The XG125 rev3 is old, so is the web interface more responsive on the XGS hardware?
    Fortigate's web interface is fast and has an insane number of add-ons/features (all requiring licensing).
    That being said, we use Sophos Intercept X Endpoint and the interop between endpoint, firewall and Sophos Central is pretty awesome...

    Thanks!

  • 0 in reply to BrushTech

    The thing is, Fortinet uses there Chip for IPsec, Sophos could do that too, but only the XGS Hardware has a IPsec capable chip. 

    But overall it is always difficult to compare performance via iperf. Because iperf is highly reliant on MTU. 
    As far as i know, fortinet uses a dynamic MTU approach, which meets a dynamic MTU, leading to a better "theoretical" performance with iperf. 

    Iperf and an encryption component like SSLVPN and IPsec needs to encrypt each and every packet, which leds to the point of "if you cut the total amount of data to X or Y packets, it matters!" - Therefore you will see differences in terms of MTU of 1400 vs 1472 etc. 

    So to speak, most people use SSLVPN for Remote Access - As the flexibility compared to the "Port500 could be blocked" situation in IPsec made SSLVPN more used in the field. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for replying.

    I did notice that the MTU was different (1372 vs 1400) between the two vendors and could not figure out how to "tune" the sophos IPSec MTU. Found it interesting that the TAP adapter MTU was 1500 but the actual IPSec connection was 1400.

    None the less, you said that Sophos should use the chip like Fortinet since the XGS hardware has the chip as well. Is the operative word "should" to mean that they do not but could possibly in the future? Is it to mean that they do with the appropriate settings?

  • 0 in reply to BrushTech

    XGS hardware already supports IPSec offload feature (which is enabled by default) which offloads the IPSec datapath to the NPU.

  • 0 in reply to BrushTech

    My comment above was based on the fact, you are using a XG, not a XGS. Your Hardware is roughly X Years old. Fortigate80F is released 2021. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Hello,

    we use both vendors (and some others) at differnet sites of our customers. So I can speak out of own experience here.

    Big difference is in licensing: Fortinet VPN Client cost for each user and is not perpetual.

    XGS Hardware makes a huge difference in performance compared to old XG series.

    Fortinet have a lot of hardware power even in the "small" appliances.

    Mit freundlichem Gruß, best regards from Germany,

    Philipp Rusch

    New Vision GmbH, Germany
    Sophos Silver-Partner

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to PhilippRusch
    PhilippRusch said:
    Big difference is in licensing: Fortinet VPN Client cost for each user and is not perpetual.

    https://docs.fortinet.com/document/forticlient/7.4.0/administration-guide/269675
    there is something free and it is on same level as Sophos I think.

    I know there is plan to add some kind of management for Sophos VPN client but I don't know if it is out yet.

Unfiltered HTML