DISCLAIMER: indeni has no specific bias towards one manufacturer or the other, but please keep in mind indeni currently supports firewalls made by Cisco, Check Point, Fortinet, Juniper and Palo Alto Networks.
Gartner has just released its magic quadrant for Enterprise Network Firewalls. Two leaders were identified – Check Point (CHKP) and Palo Alto Networks (PANW) – congratulations to both!! You can access reprints via Check Point’s website as well as Palo Alto Networks’ website.
It is very interesting to read this report as much of it correlates highly with what we’re seeing in the market through indeni Insight as well as our own sales and marketing efforts. Kudos to Gartner, and specifically Adam Hils, Greg Young and Jeremy D’Hoinne, for doing a great job here.
Here are our insights:
- Cisco is not labeled a leader by Gartner due to execution on the product side but we definitely see it as one of the top three by market share. Almost every customer we interact with has some Cisco ASAs, where some customers are entirely Cisco ASA based. We do see, though, that such customers’ functionality requirement from their firewalls is minimal as they either don’t put much focus on security or they augment the Cisco ASAs with other security products (Sourcefirce, Fireeye, etc.).Cisco has the largest channel and is the most established manufacturer in the market. As a result they have the most leverage and ability to get into specific customers.
- Check Point is indeed one of the leaders on functionality. The set of different security functions that a Check Point firewall has is enormous. Some of these are a result of acquisitions, some developed in-house. There is a lot of effort on Check Point’s side to integrate these functions into a single management interface (and R80 is part of this). However, we do see users getting overwhelmed with the amount of functions and keeping up with their configurations. Almost every single multi-billion-dollar company we speak with, and many smaller organizations, use Check Point across at least part of their network.Price has been mentioned by customers repeatedly as an issue. Price sensitivity is less common in Fortune 500 but more common in smaller organizations or ones outside of the US (the majority of the market). Usually it is coupled with a lesser need for top-notch security. The note Gartner made regarding under-sizing appliances is something we’ve seen as well. Check Point is making efforts to deal with this with tools such as CPsizeme but it looks like undersizing is indeed occurring to reduce price. That is resulting in some frustration with customers.
- Fortinet is a strong vendor in this market too. We see Fortinet a lot more in environments where there is either price-sensitivity or high performance requirements. This means that Fortune 500 (which are all US-based) tend to choose Fortinet less as they aren’t as price sensitive. We do see Fortinet quite a bit in smaller organizations as well as quite heavily outside the US (where price sensitivity is a real issue).Fortinet’s high-performance gear is a big attraction for enterprises with extremely large amounts of traffic. Their larger chassis can support unusually high amounts of traffic, however mostly when a smaller set of features are enabled. This is a great fit for data centers as the most security functions are deployed outside of the core, leaving the Fortinet chassis to focus on firewalling, switching/routing and basic security functions.
- Juniper has its old line of SSGs/ISGs and the newer SRX line. While we see the SSGs quite often, because in reality they very rarely fail and no one sees a reason to replace them, the SRXs should be the focus of this analysis. JunOS-running SRX are mostly deployed in smaller environments because, in our experience, SRXs are considered as a simpler firewall. Across the board, anyone who has ever used JunOS loves it. It’s easy to use and highly responsive.Customers are showing real concern around Juniper’s roadmap for security devices. While the other vendors are promoting new features increasingly, Juniper is quite silent on these. As a result, customers who are seeking security innovation are looking at alternatives. Moreover, Juniper’s SSL VPN was once the best perceived SSL VPN product, but the recent divestment is causing customers to see the end of the road for it and consider firewalls’ support for SSL VPN as a replacement.
- Palo Alto Networks is the fastest growing vendor in this space. Their marketing machine is the best across the vendors we are familiar with – measured by the number of customers we interact with which are discussing Palo Alto Networks’ offering (even if they are not users yet). With a whole range of features offered, most customers are still at the firewall/App-ID/User-ID level. Wider deployment of the other features isn’t main-stream yet. Customers are generally very positive towards the additional security features provided by Palo Alto Networks’ firewalls.A very interesting situation we’ve noticed is that Palo Alto Networks’ customers love them and show far more appreciation to them as a manufacturer than others. Palo Alto Networks is putting a lot of emphasis on the end-user experience – through their online marketing, field marketing, channel, field sales and support services, in addition to the product itself – and it is paying off. This is resulting in cases where even though multiple solutions were comparable, customers chose Palo Alto Networks as they were drawn to them. Keep in mind that this is supported by a solid security product.
Throughout the report Gartner mentions issues around quality and support services provided by some of the manufacturers. In reality – all of the customers we speak with complain about this across all product lines. They feel that vendors are working day and night to push out new functionality and keep up with their competitors, while at the same time disregarding quality and making the products far more complicated to operate and keep stable. Our recommendation to the vendors is to take this note very carefully and close to heart as the current trend in quality/complexity issues is taking the entire industry in a problematic direction.
Comments are very welcome, please share your thoughts below.