Fortigate 80F v Sophos XG125 IPSec Remote Access

So is it fair to say that the XGS126 is on par (in theory) with the Fortigate 80F,  VPN throughput wise?
The XG125 rev3 is old, so is the web interface more responsive on the XGS hardware?
Fortigate's web interface is fast and has an insane number of add-ons/features (all requiring licensing).
That being said, we use Sophos Intercept X Endpoint and the interop between endpoint, firewall and Sophos Central is pretty awesome...

Thanks!

The thing is, Fortinet uses there Chip for IPsec, Sophos could do that too, but only the XGS Hardware has a IPsec capable chip. 

But overall it is always difficult to compare performance via iperf. Because iperf is highly reliant on MTU. 
As far as i know, fortinet uses a dynamic MTU approach, which meets a dynamic MTU, leading to a better "theoretical" performance with iperf. 

Iperf and an encryption component like SSLVPN and IPsec needs to encrypt each and every packet, which leds to the point of "if you cut the total amount of data to X or Y packets, it matters!" - Therefore you will see differences in terms of MTU of 1400 vs 1472 etc. 

So to speak, most people use SSLVPN for Remote Access - As the flexibility compared to the "Port500 could be blocked" situation in IPsec made SSLVPN more used in the field. 

Thanks for replying.

I did notice that the MTU was different (1372 vs 1400) between the two vendors and could not figure out how to "tune" the sophos IPSec MTU. Found it interesting that the TAP adapter MTU was 1500 but the actual IPSec connection was 1400.

None the less, you said that Sophos should use the chip like Fortinet since the XGS hardware has the chip as well. Is the operative word "should" to mean that they do not but could possibly in the future? Is it to mean that they do with the appropriate settings?

XGS hardware already supports IPSec offload feature (which is enabled by default) which offloads the IPSec datapath to the NPU.

My comment above was based on the fact, you are using a XG, not a XGS. Your Hardware is roughly X Years old. Fortigate80F is released 2021. 

Hello,

we use both vendors (and some others) at differnet sites of our customers. So I can speak out of own experience here.

Big difference is in licensing: Fortinet VPN Client cost for each user and is not perpetual.

XGS Hardware makes a huge difference in performance compared to old XG series.

Fortinet have a lot of hardware power even in the "small" appliances.

Hello,

we use both vendors (and some others) at differnet sites of our customers. So I can speak out of own experience here.

Big difference is in licensing: Fortinet VPN Client cost for each user and is not perpetual.

XGS Hardware makes a huge difference in performance compared to old XG series.

Fortinet have a lot of hardware power even in the "small" appliances.

PhilippRusch said:

Big difference is in licensing: Fortinet VPN Client cost for each user and is not perpetual.

https://docs.fortinet.com/document/forticlient/7.4.0/administration-guide/269675
there is something free and it is on same level as Sophos I think.

I know there is plan to add some kind of management for Sophos VPN client but I don't know if it is out yet.

This is comparing apples to oranges, when we talk about the vpn client. You could always use the open source OpenVPN-client with both of these firewalls. I was talking about the officially supported and managed versions.

So are you saying that the VPN clients provided by each vendor should be avoided and use the open-vpn and SSL VPN should be used as opposed to IPsec? Aside from the possible 500 port being blocked is there any other particular reason? I’ve seen quite a bit put out there saying SSL VPN is all but broken and are pushing for overlay networks. Any thoughts on that?

No, I did not suggest to avoid anything. I was talking about a fair comparison of price, performance and features.