What matters most when selecting a firewall?

An end user is planning a new datacenter.

Their specs require physical firewalls as opposed to virtual.

Vendors they are currently looking at are: CISCO, Forcepoint, Checkpoint, Palo Alto, Fortinet.

They need to suggest 3 vendors based on technical and commercial viability (budget isn't that tight, but we'd prefer a cheaper solution if the difference in quality isn't really all that).

They have been looking at their documentation and data sheets and they all seem to have practically the same features, more or less.

Is there any clear winner among these? What differentiates them in terms of features and performance? They all seem to have the core capabilities of an NGFW: Packet Filtering (Layers 3 & 4), VPN, Stateful Inspection, Application Visibility & Control, Threat Intelligence, IPS.

Relevant 3rd party benchmarks they are looking at: Gartner and Cyber Ratings. Should these suffice? Which one should I prioritize? I've heard Cyber Ratings is more relevant since they actually test the hardware.

Palo Alto is the gold standard, but it is pricey. They will often reached out and offer to negotiate. Fortinet is the most cost-effective and up-and-coming vendor.

How can you gauge a firewall's performance?

Active-Active clustering for high availability?

Best in the market to protect against evasion attacks?

Make sure you investigate the following (Recommendation from industry expert ASKDF)

Does the solution actually support active/active clustering with the features you intend on using enabled. Many firewalls (Checkpoint, FortiGate, others) support an Active Active configuration, but as soon as you enable a feature everyone uses, Active/Active is no longer supported or might not even function and you have to go to Active/passive!

Do you actually need active/active? is there a functional reason active/standby or active/passive will not suffice?

Sit down and map out your traffic flows by source/destination zones. for each pathway, assess what type of functions you want applied and what the throughput will be. for each of these pathways then calculate the amount of raw horsepower required in the device.

Example:

flow 1: LAN to Internet. [IDS, IPS, AV]. 400Mbps.

flow 2: Internet to LAN. [IDS, IPS, AV, port forwarding, DDoS protection]. 2Gbps.

flow 3: CCTV Cameras to CCTV Recording Server. [no features], 5Gbps.

flow 4: CCTV viewing station to CCTV Recording server. [IDS, IPS, AV, Port Forwarding]. [150Mbps].

flow 5: dialup IPSec VPN users to corporate file server. [IPSec VPN, IDS, IPS, AV, caching]. 2Gbps.

flow 6: clientless-SSL VPN users to corporate sharepoint. [clientless-SSL, IDS, IPS, AV, proxy server]. 100Mbps.

Note, that this table illustrates a specific point: There will be flows you need to support that are very high bandwidth, but do not require any actual work from the firewall. There will also be flows that are low bandwidth, but require lots of processing.

If you are doing a new deployment in a new environment, go with PA or FG.

If security is your main concern, PA.

If security is an important goal, but budget is non-negotiable, FG.

For Palo Alto: Also if you are going with an HA pair and MIGHT have additional firewalls down the road you might want to jump on budgeting in Panorama to manage it right out of the box. You can get longer native log retention and searching outside the firewalls right away as well as shared objects and templates if you do it right from the start.

Anyone who is running in-line IPS/IDS for a data center environment doesn't understand the high-availability nature of a data center environment.

These functions should be implemented using passive optical taps so that sensors getting overwhelmed (by a DDoS attack, for example) doesn't degrade or disrupt service that would have otherwise remained available and responsive. The reason for this is that IDS is very CPU intensive and will always be a potential bottleneck as there is no opportunity for hardware acceleration with non-trivial detection.

For FortiGate: Check out Fortinet’s FortiGate Session Synchronization Protocol (FGSP), if you want true active active.