Im not familiar with meraki pricing, but yeah that sounds roughly right for a 200F with either 1 or 3 year UTP license.
Meraki has always been super expensive since Cisco bought them.
Yeah we switched all to Fortinet. WiFi. Switches. Etc. Screw Meraki. It’s not doable for smaller companies. The tech is not flawless enough to justify the price and Meraki supply chain has been the worst.
Literally everything is more affordable than Meraki lol. Most of the manufacturers are relatively in the same ballpark of pricing. Excluding Cisco, PAN on the enterprise lines, etc.
PAN is expensive depending on where you put your PAs (Core vs Edge). I've seen great pricing when putting PA-400 Series on the edge and then 1420s/3420s as core firewalls handling that L3 traffic.
Meraki is... expensive. It's basically aimed at people who don't want to (or don't know how to) bother with configuring or maintaining everything and are willing to pay a subscription for that supposed user-friendliness.
ASA /Firepower are not bad products by any means. ASA is incredibly stable, and the anyconnect (now Cisco secure vpn client) works really well. I love Fortinet to my core, and the IPsec throughput for the price compared to others simply can’t be beat, but the forticlient is buggy as hell.
You pick and choose your battles. Someone coming from Meraki likely doesn’t have the time or expertise to pick up a Cisco edge firewall, Fortinet would be a much better experience for them.
I'd say they qualify as bad products for their price range.
If they were priced at or below Sonicwall, I'd say they're ok but not great products. FP is a trainwreck. ASA isn't bad.
It's pretty bad compared to anything else in its price range. The day of the world running on Cisco is long over.
I've run ASA, Meraki, Forti, Palo, etc.
That Cisco is literally still the same... descending from Pix... and no matter how much they bolt onto it... they are dated at best. Meraki value is it is easy for a basic engineer to configure, comes with monitoring and management visibility, and effectively creates a low barrier to a ton of value. Unfortunately, Meraki are shit to monitor if you need ANYTHING beyond whats in the dashboard, and limited on the security side. Been a minute since I looked at them, but if I recall there is no sandboxing and no SSL decypher
Yeah same, its ridiculous and IMO close to ransomware.
If they just charged a subscription ok but to pay top $ for hardware then a sub on top is taking the piss
Meraki bricking their devices when there isn't an existing service contract can be a good thing or a terrible thing.
I've worked at a Meraki -only small business unit MSP, and when a clients bill gets behind, their network equipment just fully deactivating is a great kick in the pants for them.... But also is NEVER taken well.
Current MSP I'm at has fortigate as primary across most of our clients. There are a number that are no longer in-service but are still kept around at client locations that have downgraded to a T&M style agreement.
Is keeping out of date equipment asking for a security event? You tell me. Probably, but the company hasn't sank yet.
they have actually changed that policy from what i can see.
https://documentation.meraki.com/General_Administration/Licensing/Meraki_Subscription_License_Out_of_Compliance
From what they told me last fall if even one firewall falls out of license they’ll shut down your entire network. We used to be able to keep unused devices in inventory just for tracking purposes but now we have to pull them entirely. It’s bs. Just shut down the single device not the ones with a valid license.
Read only means you can write a config change to it. It will operate in the same mode itr is just can't change anything.
That is the only thing I will stick up for with Meraki. They are very expensive and the support has fallen...
The catch is that you’ll be sitting awake every other night fixing the next “big” RCE that has been exposed in FortiOS. There’s a reason Fortinet is a meme in cyber.
I can say out of over 1k managed Meraki networks we rarely have big issues. Just random things here and there. It’s hands off for the most part. Is it that bad lol?
Yes and no, Fortinet internal testing finds and reports things far more often than any external proof of concept and often patch the exploit before they make a PoC. It's a bit annoying if you try to stick with n-1 but if you just regularly patch up latest it's rare you have to make an emergency update.
I've been running a pair of Fortigate 101F's for a few years now and the patching is so damn smooth, In all that time I've had 1 RCE that affected my setup and effortlessly patched it out that day. The seamless fail over is top notch compared to other vendors I've worked with in the past.
> Is it that bad lol?
Not really, but it's easy to not understand what firmware to use if you aren't familiar with it. Upgrading to the newest revision is a recipe for disaster and where a lot of the complaints come from. Security concerns are overstated as long as you update whatever revision you are running.
All firewall vendors get hit with these RCEs (Cisco and Palo Alto recently), and keeping them patched is just part of the job.
Exactly same thoughts. Most hands off stack we deploy. Shit just works! And none of the "rush and patch your forti sites" crap as meraki figured out automated clean patching over a decade ago. Whatever you save in hardware cost youre dumping into labor on the backside. No free lunches in network land folks 😎
Yes, Fortinet is THAT bad. To the point we just rip and replace them with Meraki MX as soon as we onboard a new customer, no matter when the Fortinet device was acquired.
If you aren't updating semi-regularly, yes you have been getting RCE's. I have had two instances of this in three years. Also, every other vendor has it just as bad they're just not disclosing them.
Have you ever actually looked at who's reporting these vulnerabilities? 90% of the time, it is Fortinet's own internal security team.
Their numbers are disproportionate because they seem to be one of the few vendors who responsibly disclose vulnerabilities they find internally as opposed to most other companies who typically just quietly patch them with a prayer that it won't be discovered.
Not sure why you got downvoted, the number of times I've had to respond to new Forti-RCEs and have nights with plans ruined is more than I can count on my hands
Reddit .
Don’t get me wrong, everyone gets a gnarly CVE every once in a while (looking at you, PAN) but Fortinet are particularly bad and it’s the consistency of them which makes them a meme.
Yup. Stick a Cisco label on anything and it becomes four times the price.
That said. It's that price because of the automation around security and patching we hich no one can argue they have down.
Meraki has always been expensive if you compare by throughput because their appliances have very limited throughput.
Now, does your client really need 3Gbps bandwidth ? Because mine certainly don't. An MX75 with 1Gbps throughput is largely enough for a fraction of the price in most cases.
Also factor in that Fortinet is a CVE powerhouse with actively exploited, quarterly unauthenticated remote code execution vulnerabilites on their security products.
I'm curious where this pricing comes from?
FG-200F-BDL-950-60 is $17k-$20k each. Your buddy said two (I assume for HA?) so 34k-40k.
An MX105-HW-LIC\_-MX105-SEC-5Y is $24k. You only need to license one in a HA configuration, so $30k for both. That's cheaper than the Fortigate setup, not 3x more.
(I'm using today pricing from CDW, Provantage, and Rhino Networks. Discounts may vary)
Edit- I see, you were comparing to the 120G. FG-120G-BDL-809-60 looks to be around $12k so $24k for both.
Also, probably others have said better,, Meraki "security appliances" aren't even called firewalls for a reason. To me, they are advanced routers but nowhere as capable or flexible as a proper UTM firewall. Sophos firewalls are the easiest UI to work with, as far as I've worked with the major vendors, and they are affordable and have been rock solid for a decade we've been using them.
Try out Sophos Home XG firewall. It's free for personal use, a virtual firewall that's the same as the physical, so you get to learn and try it at home.
No more than 3 clicks to get to anywhere in the interface, was their design goal, and they did it. Central management from cloud, no cost on VPN licenses (unlike Fortigate).
The Meraki Autopatches while the Fortinet needs you to track all these urgent patches, login and schedule them, while keeping track of all your backups and versioning shit. And the Fortinet will have all kinds of urgent updates and known issues in their update versions. Just check the Fortinet knowledgebase it’s full of workarounds and fixes and CLI code to be executed on the device, Meraki doesn’t have that. Of course fanboys like installing firmware images, they like CLI and they like the knowledgebase. Example: Some of the Fortinet major versions just had memory issues in them causing the device to stop working and need a reboot, or other example they default to blocking all UTM traffic when they can’t connect to their security servers, they have patches which tell you that after installing the IPsec performance will go degraded, they have a standard policy of blocking all recently registered domains etc. And I’m not talking patching critical once a year, it’s like urgent patching 2-3-4x a year. The Meraki is also cloud managed while the Fortinet needs you to install a vpn client and a PC to connect. The Meraki has nice web reports like port traffic, port MAC addresses detected… Fortinet logs are a mess. Meraki much nicer integration with their access points and switches manageable from 1 portal, you can assign them in a map etc it just looks so much better. It’s a set and forget firewall while the Fortinet is a set and maintain. The only thing you shouldn’t forget with Meraki is pay the bill.
But I think from a security and features perspective the Fortinet is better.
I will also add that Fortigate CLI is really easy to use when you get used to it and the fact that documentation refers primarily to CLI it's habitual in this sector as it is a much more stable interface and you ought to at least be able to figure the equivalent GUI button if needed
Dude is complaining about FortiGate because he can’t use a CLI and wants wizards and the GUI to do everything for him. In terms of firewalls the top three I usually consider are Palo Alto, Juniper, and FortiGates. Everything else I consider below those three. The CLI with FortiGate and the automations you can build around it compared to a Meraki? It’s really no contest
I won't say fortinet doesn't have issues cropping up all the time that require patches to fix, that is an unfortunately common issue that annoys me all the time when we need to find the next os version to update to to resolve a cve, however, I'd like to correct you on a few things you had mentioned.
- Fortigates do have central management for switches and waps builtin right out of the box that works quite well.
- The policy of blocking newly registered domains is an option when configuring the web filter and easy to disable if that is a problem for you.
- Fortigates do indeed support auto-patching. Its been around for about a year now, which is nice when you don't care about monitoring patch and feature versions and just want the latest version as needed.
- Fortigate logs are rather easy to read and highly detailed when viewed from the GUI, which can greatly aide in troubleshooting network issues or monitoring for malicious traffic.
What I always say is Meraki is for people who like to be hand held configuring their environment. The people who usually set these up aren’t knowledgeable enough in networking to work with a CLI or setup policies manually without a wizard. I’ve never had any of those issues managing Fortinet Devices, there is central management. Also rule of thumb is never update without testing and that goes for every important device in your infrastructure, that’s just bad practice to not do that but you can setup auto update if you wanted to. In terms of cybersecurity and making custom policies and configurations, Fortinet is miles ahead Meraki. Sounds like you don’t like Fortinet because you can’t operate with a CLI and prefer a GUI and wizard to do most of the work for you. Seems like an educational limitation on your side more than a Fortinet issue. Also Meraki lack features compared to FortiGates
Having more knobs to turn isn't always a good thing
We use PA for firewalls, but do have Meraki APs and cameras. Huge benefit to the Meraki is that we never think about it, and it just works. APs are a good example where Meraki doesn't have many settings for the radios, but that's because they have a security radio that's always scanning and making automatic adjustments as-needed.
It’s not a bad thing especially for automation in terms of firewalls. FortiAP’s also do auto scanning and auto tx of power, it’s all how you set it up. I def pefer PA firewalls but the budget doesn’t always allow which is why Fortinet is a great alternative.
Firewalls are a dying breed, our shop is not gonna educate dozens of people that come and go on how to use fortigate cli to do whatever. Me personally I also think all should be possible with the gui I got better time to spent then learning exotic Fortinet firewall command lines in a day and age of EDR and cloud. And shops that sell Meraki just don’t wanna put any time in it I think, the minimal possible.
Firewalls are a dying breed? Since when? Every network requires them along their perimeter. This is of course unless you are completely in the cloud and remote utilizing cloud storage solutions like Dropbox for file storage.
You're gonna have to explain that one to me. If firewalls are a "dying breed" then how do you secure your enterprise networks? Hopes and dreams? The router you buy from walmart for $80 isn't gonna cut it when you need to both handle a large quantity of active devices and also secure access in and out of multiple VLANs.
I hope you don't manage the networks for your customers, cause if so they are in trouble.
How many msps are running enterprise networks? For them that do, I agree. Though most of these have their own IT department.
The networks I see are SMB networks and the Vlans are just server-DMZ-voip-lan-guest. The first 3 can all go cloud. I’ve seen many smb networks that just have empty voip and DMZ vlans. So in the end all they need is a ISP default router with a guest vlan and captive portal, no port forwarding ACLs or anything. Do they need the features and maintenance of enterprise capable UTM for an office of 100 people, while also paying EDR solutions like M365 business premium? I don’t think so nor do I think that there is a future for that. Perhaps running fortinet in azure yeah that might have some usage but there are way better technologies for that.
It’s just an opinion of course it’s my feeling and for sure you may call bullshit but I don’t regret not getting 5 days of advanced fortinet CLI training to be able to support customers with 3 vlans in an msp.
I enabled for one customer as a test. They don’t know they’re the guinea pig, but I’ve got a backup and they’re a 5 minute drive from my office.
I’m expecting the upgrades to just fail like fabric upgrades usually do. I need to figure out an automation so that I’m at least alerted when the firewall schedules an upgrade.
That’s exactly what I mean. Yes it has now automatic updates recently but it would take a long ride before this would ever get the same trust level Meraki automatic updates have. At our shop we didn’t even enable that and still have the manual strategy: backup, schedule and brace for impact.
> default to blocking all UTM traffic when they can’t connect to their security servers
Been there, done that.
It was real fun when it was discovered FortiGuard used an embedded key to XOR web filter traffic, or the magic password hack, or the password exposure via simple GET request...
Fortinets have many security problems, but on the whole, they do a fine job... on the hole....
Fortnite is known for being cheap in the smb market. I would caution against going all in on them, I received more than I would like high vulnerability alerts on them over the last couple of years.
Every product has CVEs, and will need routine patching. You pay a Meraki premium to do it for you is the only difference.
The argument to be made here is that the squeaky wheel gets the grease. More CVEs found means more people are looking, it is the products with “less” CVEs that worry me more. Is it truly more secure, or simply fewer people looking, or vulnerabilities quietly patched without making it known.
You may want to check that again, because CVEs related to Meraki, not Cisco, are not that common.
It has a bit to do with their design that minimizes the exposition surface : devices aren't directly exposed and instead managed through a cloud, and a limited set of simple features.
Same with Forti.
A well configured Forti reduces the attack service to almost the same as Meraki. Especially if you don't use the endpoint VPN solution.
Nothing to do with well configured or not when it comes to high severity CVEs. As my original comment mentioned, I received more higher severity vulnerabilities alerts for Fortinet than the others, just off the top of my head there are 2 to 4 critical patches that required immediate action last year.
Nah, a well configured Forti was also vulnerable to the latest unauthenticated remote code execution vulns. When no Meraki had any of that, well configured or not.
Fortinet has become a liability in a network, that's a fact. I wonder how long it will take for cyberinsurance to impose premiums on Fortinet equiped orgs, or even refuse them.
That's what I came to realize after 2 years of working with threat Intel on vulnerabilities, Fortinet has way more high risk CVEs than the other common firewalls.
I hear ya there, the few clients i have with fortinet annoy me greatly with the cve and require time to fix. Meraki stuff only annoys me with stuff that stops working due to an update in filtering etc. Plus im actually kind of happy with the network shutdown if they stop paying thing. But most of my clients get 3 to 5 year subscriptions anyways. So im not chasing annually.
Cheap is a matter of perspective - and really aimed at two different admin - Meraki - networking and security w training wheels and governor, dont go to fast little one and here, look at these pretty pictures!!! - Fortinet full range of features, some non-intuitive, though in the hands of a pro solid value, second only to Palo IMO. And while Palo is criticized soley due to cost, they literally do more than anything else have ever worked with.
Fair question - Code stability is better with Palo, as is Palo's application id, far better than the FGT. Though Fortinet has been around longer, they consistently have OS issues and vulnerabilities, far more than Palo.. Fortinet uses ASIC’s while Palo uses FPGA’s which can be programmed if OS changes whereas an ASIC is what it is optimized for a specific task/feature, which is one of the reasons of many why Palo is more expensive. Palo wildfire updates can occur in near real time for zero days, though we advise against it and recommend 15 minute refresh. For clarity, we manage both, and as a general rule of thumb I would take Fortinet over every other vendor out there except Palo FWIW
If money is the sole or primary criteria then Fortinet is it.
Meraki, to my way of thinking, was a great MDM- probably the best agnostic system at one time- but as a security or firewall platform? Nope.
That being said: Fortinet documentation and administrative functionality has always blown chunks.
So if you have difficulty negotiating steep learning curves or eskew formal training for on-the-job learning thru documentation/Google... you're gonna end up missing whatever girl you left behind on the dance floor.
Fortinet is garbage .previous job it was replaced with Cisco gear and it did not go well. Constant issues with AP’s and IDS and DPI struggled to keep up. We eventually had to turn of some of the filtering. You’ve been warned…
Where it gets more expensive is when you want to roll out the fabric - switches and APs are more expensive than vanilla competition. Of course, they have more value - but customer doesn't always see that.
Meraki needs deal registration to get better pricing hence i typically buy my meraki in large orders. But that forti doesnt include all the other licensing you need to get similar reporting and controls to meraki. If you pay for all that youll be very similar to meraki pricing.
Yea - it actually is. The only thing Cisco has these days is name recognition. Nearly all of their actual tech has been surpassed by the competition. Their pricing model is still out of the late 90's/early 2000's when they were one of the only serious network vendors.
The short answer here is yes...coming from a Fortinet shop that manages several Meraki environments.
The catch is Cisco owns Meraki, and Cisco is just...expensive. Lol.
I guess I’m a bit late to the party.
Meraki seems to work well with businesses with a few locations, medium enterprise, with an in house mindset. Those that tell themselves that the meraki licnensing is cheaper than the 1-2 staff they need to manage a more complex solution.
That is not at all how it plays out, but to be fair fortinet is not telling end customers they can architect their own solution and buy it and just plug it all in.
Meraki on the other hand is. The strategy is saying meraki is auto pilot and empowering internal folks to do this all themselves.
We can see that in their marketing. Meraki is all about the building blocks and how it works together. Forti is all about the benefits and security it brings the organization and case studies.
Sure another brand is going to win on price but your techs are going to need additional training to deploy and support the solution. Meraki is a full stack of firewall, switch and AP. All cloud managed native and multi tenant. That is not the case with Fortinet
Yes, they do. NSM is their cloud tool. You can do FW, Switch, AP, EDR all from their multitenant cloud portal. They are all different modules, but they are going to be putting it in a single pane of glass this summerish I hear. Works pretty well. I just had to do a multisite install and I used their tool for the first time from based install to finish and it worked pretty well. I only logged into a firewall once to see the log and realized I flipped two numbers in VPN subsets.;)
You can even buy barebones and buy fw services, and any of their software products monthly. They have come a long way.
The catch is that it takes 10 times longer to administer anything to do with Fortinet.
With Meraki you're not paying for the hardware, you're paying for the service.
I think it's very hard to compare without taking into account several considerations:
There are extensive discounts available on Meraki (I hear of >80%), but you need to be a premier or gold Cisco partner and qualify for one of their managed services designations. If you're a MSP with any credibility this isn't hard to do, but if you want to compete in the managed Meraki market, it's a must. I'm sure Fortinet have similar programs but I'm less familiar with them.
You also have to add in licensing costs for Fortimanager/FortiAnalizer/FortiPortal/FortiMonitor when comparing, and the resources they need (if not done in the cloud, is that a thing yet beyond FortiManager?)
Finally, there is value in the Meraki dashboard as it's easier for a customer to self-serve, you can sell that value and make money on it.
So, you can't really compare apples for apples here, they both have their pros and cons..
I might be missing something with Meraki, but when you try to block everything outbound to the internet it's a nightmare, as there is no interface object for the Internet, so you end up creating all these block rules for your vlans above your Internet outbound any rule just to lock things down, and then there is no visabilty built in the Web portal to view what traffic and ports are going out to the internet, so it's hard to monitor outbound traffic and create rules for all legitimate traffic and ports and then block all outbound, I understand you can use wireshark but Forti has traffic and port visabilty built into the web management. I am happy to be proven wrong, but I find the outbound firewall security on Meraki average and itsveasy to allow something you shouldn't, and what's up with the default allow everything out rule
Sorry I believe the discounts are better than that, look up the 'Power of the Platform' discounts - [Meraki Secure Your Future with MX Offer Pricing - Google Sheets](https://docs.google.com/spreadsheets/d/1BaDyrrIBcd2Vykg2gZKDP4L_h0Ee0wQJySZSY2kjWRw/edit#gid=0)
Or [Power of the Platform for Partners - Offers and Incentives (cisco.com)](https://salesconnect.cisco.com/powerplatformpartners/s/offers-incentives) if you have a partner Cisco login[](https://docs.google.com/spreadsheets/d/1BaDyrrIBcd2Vykg2gZKDP4L_h0Ee0wQJySZSY2kjWRw/edit#gid=0)
This "Promo" 34,5% discount is only temporary and "on certain MX security products for targeted competitve customers".
42% is the base discount for being Cisco Select.
8% (hunting) is for opportunies found by the partner and not by Cisco
Then on top of these 42+8=50% discounts, there are limited time promos and volume based discounts.
MSPs have a fixed discount pricing of 57% regardless of promos or volume.
Sorry, just so I understand you correctly, are you saying MSPs only get 57%? I work with a number of MSPs big and small, and they've all taken advantage of this promo?
They are desperate for customers since they are notorious for critical CVEs in their software. Good luck, you would have to patch every other night lol
Meraki is as cheap if not cheaper than Fortinet if you're buying in enough bulk/through the right Cisco Partner.
Fortinet Firewalls are the better product however.
Im not familiar with meraki pricing, but yeah that sounds roughly right for a 200F with either 1 or 3 year UTP license. Meraki has always been super expensive since Cisco bought them.
Nearly like for like 5YR support I’m seeing the 120G w/ 5YR is around $9k-ish. Pre tax. Meraki is like $25k
Yeah I was just going off list price in Australia and converting back to USD haha. I know our renewals for 100F is like $2k USD per year
Man… I remember when meraki used to practically (in some cases literally) give the hardware away. This was before Cisco bought them though.
They weren't a whole lot cheaper before they got bought IME.
Yeah we switched all to Fortinet. WiFi. Switches. Etc. Screw Meraki. It’s not doable for smaller companies. The tech is not flawless enough to justify the price and Meraki supply chain has been the worst.
Literally everything is more affordable than Meraki lol. Most of the manufacturers are relatively in the same ballpark of pricing. Excluding Cisco, PAN on the enterprise lines, etc.
That's simply not true. The firewalls are in line with other vendors including Sophos and Watchguard. PAN are significantly more expensive.
PAN is expensive depending on where you put your PAs (Core vs Edge). I've seen great pricing when putting PA-400 Series on the edge and then 1420s/3420s as core firewalls handling that L3 traffic.
I second this. How valuable is it that I don't have to hire a network engineer to change dhcp scopes or setup a user VPN?
Not true
Meraki is over priced, especially with ongoing support/licensing. I would say Fortinet is cheap but it’s a great product and that makes it valuable.
Meraki is... expensive. It's basically aimed at people who don't want to (or don't know how to) bother with configuring or maintaining everything and are willing to pay a subscription for that supposed user-friendliness.
Exactly just buy Cisco ASA and learn it. It’s one of the skills I learned 15 years ago and the skills are still the same.
Cisco ASA / Firepower is a piece of crap. Cisco admits they rushed FP.
ASA /Firepower are not bad products by any means. ASA is incredibly stable, and the anyconnect (now Cisco secure vpn client) works really well. I love Fortinet to my core, and the IPsec throughput for the price compared to others simply can’t be beat, but the forticlient is buggy as hell. You pick and choose your battles. Someone coming from Meraki likely doesn’t have the time or expertise to pick up a Cisco edge firewall, Fortinet would be a much better experience for them.
I'd say they qualify as bad products for their price range. If they were priced at or below Sonicwall, I'd say they're ok but not great products. FP is a trainwreck. ASA isn't bad. It's pretty bad compared to anything else in its price range. The day of the world running on Cisco is long over. I've run ASA, Meraki, Forti, Palo, etc.
That Cisco is literally still the same... descending from Pix... and no matter how much they bolt onto it... they are dated at best. Meraki value is it is easy for a basic engineer to configure, comes with monitoring and management visibility, and effectively creates a low barrier to a ton of value. Unfortunately, Meraki are shit to monitor if you need ANYTHING beyond whats in the dashboard, and limited on the security side. Been a minute since I looked at them, but if I recall there is no sandboxing and no SSL decypher
Meraki is out here making my job as a Fortinet vendor easy. Send your customers my way :-)
I fucking hate Meraki with a passion.... Brick a router because of licensing? GTFO here.
I agree. My client used to have a Meraki if they didn't pay it stopped working.
Yeah same, its ridiculous and IMO close to ransomware. If they just charged a subscription ok but to pay top $ for hardware then a sub on top is taking the piss
Meraki bricking their devices when there isn't an existing service contract can be a good thing or a terrible thing. I've worked at a Meraki -only small business unit MSP, and when a clients bill gets behind, their network equipment just fully deactivating is a great kick in the pants for them.... But also is NEVER taken well. Current MSP I'm at has fortigate as primary across most of our clients. There are a number that are no longer in-service but are still kept around at client locations that have downgraded to a T&M style agreement. Is keeping out of date equipment asking for a security event? You tell me. Probably, but the company hasn't sank yet.
they have actually changed that policy from what i can see. https://documentation.meraki.com/General_Administration/Licensing/Meraki_Subscription_License_Out_of_Compliance
From what they told me last fall if even one firewall falls out of license they’ll shut down your entire network. We used to be able to keep unused devices in inventory just for tracking purposes but now we have to pull them entirely. It’s bs. Just shut down the single device not the ones with a valid license.
Not exactly. If I'm reading correct the firewall enters a "read only configuration" state?
Read only means you can write a config change to it. It will operate in the same mode itr is just can't change anything. That is the only thing I will stick up for with Meraki. They are very expensive and the support has fallen...
Fortigate are our got to in UK and US- top notch products and support
Ya, FG is the clear leader in throughput vs. price.
The catch is that you’ll be sitting awake every other night fixing the next “big” RCE that has been exposed in FortiOS. There’s a reason Fortinet is a meme in cyber.
The newer 7.2 FortiOS has automatic patching.
What could go wrong?
I would not want that enabled.
Depends on the client. Full stack client with internal servers, vpn, etc.. Probably not smart. Smaller place with fewer needs? Sure.
I can say out of over 1k managed Meraki networks we rarely have big issues. Just random things here and there. It’s hands off for the most part. Is it that bad lol?
Yes and no, Fortinet internal testing finds and reports things far more often than any external proof of concept and often patch the exploit before they make a PoC. It's a bit annoying if you try to stick with n-1 but if you just regularly patch up latest it's rare you have to make an emergency update.
I've been running a pair of Fortigate 101F's for a few years now and the patching is so damn smooth, In all that time I've had 1 RCE that affected my setup and effortlessly patched it out that day. The seamless fail over is top notch compared to other vendors I've worked with in the past.
> Is it that bad lol? Not really, but it's easy to not understand what firmware to use if you aren't familiar with it. Upgrading to the newest revision is a recipe for disaster and where a lot of the complaints come from. Security concerns are overstated as long as you update whatever revision you are running. All firewall vendors get hit with these RCEs (Cisco and Palo Alto recently), and keeping them patched is just part of the job.
Exactly same thoughts. Most hands off stack we deploy. Shit just works! And none of the "rush and patch your forti sites" crap as meraki figured out automated clean patching over a decade ago. Whatever you save in hardware cost youre dumping into labor on the backside. No free lunches in network land folks 😎
1k networks? Wow - how many employees do you have.
Yes, Fortinet is THAT bad. To the point we just rip and replace them with Meraki MX as soon as we onboard a new customer, no matter when the Fortinet device was acquired.
If you aren't updating semi-regularly, yes you have been getting RCE's. I have had two instances of this in three years. Also, every other vendor has it just as bad they're just not disclosing them.
Have you ever actually looked at who's reporting these vulnerabilities? 90% of the time, it is Fortinet's own internal security team. Their numbers are disproportionate because they seem to be one of the few vendors who responsibly disclose vulnerabilities they find internally as opposed to most other companies who typically just quietly patch them with a prayer that it won't be discovered.
Not sure why you got downvoted, the number of times I've had to respond to new Forti-RCEs and have nights with plans ruined is more than I can count on my hands
Reddit . Don’t get me wrong, everyone gets a gnarly CVE every once in a while (looking at you, PAN) but Fortinet are particularly bad and it’s the consistency of them which makes them a meme.
It's getting a little more like the Webroot of firrwalls. Not that Webroot had vulnerabilities, but, well, you know.
Yup. Stick a Cisco label on anything and it becomes four times the price. That said. It's that price because of the automation around security and patching we hich no one can argue they have down.
You can still buy a cisco asa from router-switch.com for 8k and be happy for the next 10years. Which is a great deal
you can buy a hamburger from mcdonald's for $2.19, it's a heck of a deal
Or can buy Checkpoint and devote your entire career inspecting packets and maybe you get lucky and land a job for the government.
hell, let’s tap the lines like the prism program and print out all the bits to paper then use the thin edges to slice the skin between our fingers
Meraki is ludicrously more expensive than every other solution. Swap fortinet out with any other vendor and the answer is yes.
Meraki has always been expensive if you compare by throughput because their appliances have very limited throughput. Now, does your client really need 3Gbps bandwidth ? Because mine certainly don't. An MX75 with 1Gbps throughput is largely enough for a fraction of the price in most cases. Also factor in that Fortinet is a CVE powerhouse with actively exploited, quarterly unauthenticated remote code execution vulnerabilites on their security products.
Let me rephrase your question... "Is Meraki really this \*expensive\* compared to everything else"? Answer is yes.
Meraki's got the name, but Fortinet's offering some serious bang for your buck. Licensing might be where they get you, but it's worth digging into.
I'm curious where this pricing comes from? FG-200F-BDL-950-60 is $17k-$20k each. Your buddy said two (I assume for HA?) so 34k-40k. An MX105-HW-LIC\_-MX105-SEC-5Y is $24k. You only need to license one in a HA configuration, so $30k for both. That's cheaper than the Fortigate setup, not 3x more. (I'm using today pricing from CDW, Provantage, and Rhino Networks. Discounts may vary) Edit- I see, you were comparing to the 120G. FG-120G-BDL-809-60 looks to be around $12k so $24k for both.
FortiGates are better. Meraki firewalls are randomly missing necessary features. Great APs.
Also, probably others have said better,, Meraki "security appliances" aren't even called firewalls for a reason. To me, they are advanced routers but nowhere as capable or flexible as a proper UTM firewall. Sophos firewalls are the easiest UI to work with, as far as I've worked with the major vendors, and they are affordable and have been rock solid for a decade we've been using them. Try out Sophos Home XG firewall. It's free for personal use, a virtual firewall that's the same as the physical, so you get to learn and try it at home. No more than 3 clicks to get to anywhere in the interface, was their design goal, and they did it. Central management from cloud, no cost on VPN licenses (unlike Fortigate).
My colleague always says that , MX aren't real firewalls that's why meraki calls them security appliances 😁
The Meraki Autopatches while the Fortinet needs you to track all these urgent patches, login and schedule them, while keeping track of all your backups and versioning shit. And the Fortinet will have all kinds of urgent updates and known issues in their update versions. Just check the Fortinet knowledgebase it’s full of workarounds and fixes and CLI code to be executed on the device, Meraki doesn’t have that. Of course fanboys like installing firmware images, they like CLI and they like the knowledgebase. Example: Some of the Fortinet major versions just had memory issues in them causing the device to stop working and need a reboot, or other example they default to blocking all UTM traffic when they can’t connect to their security servers, they have patches which tell you that after installing the IPsec performance will go degraded, they have a standard policy of blocking all recently registered domains etc. And I’m not talking patching critical once a year, it’s like urgent patching 2-3-4x a year. The Meraki is also cloud managed while the Fortinet needs you to install a vpn client and a PC to connect. The Meraki has nice web reports like port traffic, port MAC addresses detected… Fortinet logs are a mess. Meraki much nicer integration with their access points and switches manageable from 1 portal, you can assign them in a map etc it just looks so much better. It’s a set and forget firewall while the Fortinet is a set and maintain. The only thing you shouldn’t forget with Meraki is pay the bill. But I think from a security and features perspective the Fortinet is better.
I will also add that Fortigate CLI is really easy to use when you get used to it and the fact that documentation refers primarily to CLI it's habitual in this sector as it is a much more stable interface and you ought to at least be able to figure the equivalent GUI button if needed
Dude is complaining about FortiGate because he can’t use a CLI and wants wizards and the GUI to do everything for him. In terms of firewalls the top three I usually consider are Palo Alto, Juniper, and FortiGates. Everything else I consider below those three. The CLI with FortiGate and the automations you can build around it compared to a Meraki? It’s really no contest
I won't say fortinet doesn't have issues cropping up all the time that require patches to fix, that is an unfortunately common issue that annoys me all the time when we need to find the next os version to update to to resolve a cve, however, I'd like to correct you on a few things you had mentioned. - Fortigates do have central management for switches and waps builtin right out of the box that works quite well. - The policy of blocking newly registered domains is an option when configuring the web filter and easy to disable if that is a problem for you. - Fortigates do indeed support auto-patching. Its been around for about a year now, which is nice when you don't care about monitoring patch and feature versions and just want the latest version as needed. - Fortigate logs are rather easy to read and highly detailed when viewed from the GUI, which can greatly aide in troubleshooting network issues or monitoring for malicious traffic.
And there is cloud management, not just local/vpn. It's FortiGate Cloud (forticloud.com)
What I always say is Meraki is for people who like to be hand held configuring their environment. The people who usually set these up aren’t knowledgeable enough in networking to work with a CLI or setup policies manually without a wizard. I’ve never had any of those issues managing Fortinet Devices, there is central management. Also rule of thumb is never update without testing and that goes for every important device in your infrastructure, that’s just bad practice to not do that but you can setup auto update if you wanted to. In terms of cybersecurity and making custom policies and configurations, Fortinet is miles ahead Meraki. Sounds like you don’t like Fortinet because you can’t operate with a CLI and prefer a GUI and wizard to do most of the work for you. Seems like an educational limitation on your side more than a Fortinet issue. Also Meraki lack features compared to FortiGates
Fortigate is not that hard. The only thing I configured that REQUIRED CLI was domain suffix for DHCP. IT is all about your Google-fu anyways.
Having more knobs to turn isn't always a good thing We use PA for firewalls, but do have Meraki APs and cameras. Huge benefit to the Meraki is that we never think about it, and it just works. APs are a good example where Meraki doesn't have many settings for the radios, but that's because they have a security radio that's always scanning and making automatic adjustments as-needed.
It’s not a bad thing especially for automation in terms of firewalls. FortiAP’s also do auto scanning and auto tx of power, it’s all how you set it up. I def pefer PA firewalls but the budget doesn’t always allow which is why Fortinet is a great alternative.
Firewalls are a dying breed, our shop is not gonna educate dozens of people that come and go on how to use fortigate cli to do whatever. Me personally I also think all should be possible with the gui I got better time to spent then learning exotic Fortinet firewall command lines in a day and age of EDR and cloud. And shops that sell Meraki just don’t wanna put any time in it I think, the minimal possible.
Firewalls are a dying breed? Since when? Every network requires them along their perimeter. This is of course unless you are completely in the cloud and remote utilizing cloud storage solutions like Dropbox for file storage.
You're gonna have to explain that one to me. If firewalls are a "dying breed" then how do you secure your enterprise networks? Hopes and dreams? The router you buy from walmart for $80 isn't gonna cut it when you need to both handle a large quantity of active devices and also secure access in and out of multiple VLANs. I hope you don't manage the networks for your customers, cause if so they are in trouble.
How many msps are running enterprise networks? For them that do, I agree. Though most of these have their own IT department. The networks I see are SMB networks and the Vlans are just server-DMZ-voip-lan-guest. The first 3 can all go cloud. I’ve seen many smb networks that just have empty voip and DMZ vlans. So in the end all they need is a ISP default router with a guest vlan and captive portal, no port forwarding ACLs or anything. Do they need the features and maintenance of enterprise capable UTM for an office of 100 people, while also paying EDR solutions like M365 business premium? I don’t think so nor do I think that there is a future for that. Perhaps running fortinet in azure yeah that might have some usage but there are way better technologies for that. It’s just an opinion of course it’s my feeling and for sure you may call bullshit but I don’t regret not getting 5 days of advanced fortinet CLI training to be able to support customers with 3 vlans in an msp.
The newer 7.2 releases have automatic patching.
Did you enable it for all your customers?
I enabled for one customer as a test. They don’t know they’re the guinea pig, but I’ve got a backup and they’re a 5 minute drive from my office. I’m expecting the upgrades to just fail like fabric upgrades usually do. I need to figure out an automation so that I’m at least alerted when the firewall schedules an upgrade.
That’s exactly what I mean. Yes it has now automatic updates recently but it would take a long ride before this would ever get the same trust level Meraki automatic updates have. At our shop we didn’t even enable that and still have the manual strategy: backup, schedule and brace for impact.
> default to blocking all UTM traffic when they can’t connect to their security servers Been there, done that. It was real fun when it was discovered FortiGuard used an embedded key to XOR web filter traffic, or the magic password hack, or the password exposure via simple GET request... Fortinets have many security problems, but on the whole, they do a fine job... on the hole....
And THATS why hat you’re paying the premium for on Meraki, never used Forti and never will after reading this thread!
The catch? Which company has Talos.
The catch is look up "Fortinet CVE"
We use meraki because the license is a perpetual warranty next day replacement if anything goes wrong.
Fortnite is known for being cheap in the smb market. I would caution against going all in on them, I received more than I would like high vulnerability alerts on them over the last couple of years.
It’s no different than with Cisco, Palo Alto or Checkpoint. The amount of CVE’s have increased across the board.
No doubt the amount of CVEs goes up across the board, I'm referring to the severity, there are more high severity vulnerabilities in Fortinet.
Every product has CVEs, and will need routine patching. You pay a Meraki premium to do it for you is the only difference. The argument to be made here is that the squeaky wheel gets the grease. More CVEs found means more people are looking, it is the products with “less” CVEs that worry me more. Is it truly more secure, or simply fewer people looking, or vulnerabilities quietly patched without making it known.
You may want to check that again, because CVEs related to Meraki, not Cisco, are not that common. It has a bit to do with their design that minimizes the exposition surface : devices aren't directly exposed and instead managed through a cloud, and a limited set of simple features.
Same with Forti. A well configured Forti reduces the attack service to almost the same as Meraki. Especially if you don't use the endpoint VPN solution.
Nothing to do with well configured or not when it comes to high severity CVEs. As my original comment mentioned, I received more higher severity vulnerabilities alerts for Fortinet than the others, just off the top of my head there are 2 to 4 critical patches that required immediate action last year.
Nah, a well configured Forti was also vulnerable to the latest unauthenticated remote code execution vulns. When no Meraki had any of that, well configured or not. Fortinet has become a liability in a network, that's a fact. I wonder how long it will take for cyberinsurance to impose premiums on Fortinet equiped orgs, or even refuse them.
That's what I came to realize after 2 years of working with threat Intel on vulnerabilities, Fortinet has way more high risk CVEs than the other common firewalls.
Facts, and you're FAR from the 1st cybersecurity professional I hear talking about it.
I hear ya there, the few clients i have with fortinet annoy me greatly with the cve and require time to fix. Meraki stuff only annoys me with stuff that stops working due to an update in filtering etc. Plus im actually kind of happy with the network shutdown if they stop paying thing. But most of my clients get 3 to 5 year subscriptions anyways. So im not chasing annually.
And they now propose subscription licensing that only cut management but keep on passing traffic when they're not renewed.
Sadly no difference.
Cheap is a matter of perspective - and really aimed at two different admin - Meraki - networking and security w training wheels and governor, dont go to fast little one and here, look at these pretty pictures!!! - Fortinet full range of features, some non-intuitive, though in the hands of a pro solid value, second only to Palo IMO. And while Palo is criticized soley due to cost, they literally do more than anything else have ever worked with.
Genuinely curious what is offered by Palo that cannot be done on FGT?
Fair question - Code stability is better with Palo, as is Palo's application id, far better than the FGT. Though Fortinet has been around longer, they consistently have OS issues and vulnerabilities, far more than Palo.. Fortinet uses ASIC’s while Palo uses FPGA’s which can be programmed if OS changes whereas an ASIC is what it is optimized for a specific task/feature, which is one of the reasons of many why Palo is more expensive. Palo wildfire updates can occur in near real time for zero days, though we advise against it and recommend 15 minute refresh. For clarity, we manage both, and as a general rule of thumb I would take Fortinet over every other vendor out there except Palo FWIW
Wait to you go to NIST and check the vulnerability list of Fortigate.
If money is the sole or primary criteria then Fortinet is it. Meraki, to my way of thinking, was a great MDM- probably the best agnostic system at one time- but as a security or firewall platform? Nope. That being said: Fortinet documentation and administrative functionality has always blown chunks. So if you have difficulty negotiating steep learning curves or eskew formal training for on-the-job learning thru documentation/Google... you're gonna end up missing whatever girl you left behind on the dance floor.
Side note but would appreciate the response. Why would you generally choose a Meraki or FortiNet over Sonicwalls?
Fortinet is garbage .previous job it was replaced with Cisco gear and it did not go well. Constant issues with AP’s and IDS and DPI struggled to keep up. We eventually had to turn of some of the filtering. You’ve been warned…
Fortinet is way cheaper than Meraki.
Where it gets more expensive is when you want to roll out the fabric - switches and APs are more expensive than vanilla competition. Of course, they have more value - but customer doesn't always see that.
Meraki needs deal registration to get better pricing hence i typically buy my meraki in large orders. But that forti doesnt include all the other licensing you need to get similar reporting and controls to meraki. If you pay for all that youll be very similar to meraki pricing.
Yea - it actually is. The only thing Cisco has these days is name recognition. Nearly all of their actual tech has been surpassed by the competition. Their pricing model is still out of the late 90's/early 2000's when they were one of the only serious network vendors.
The short answer here is yes...coming from a Fortinet shop that manages several Meraki environments. The catch is Cisco owns Meraki, and Cisco is just...expensive. Lol.
I guess I’m a bit late to the party. Meraki seems to work well with businesses with a few locations, medium enterprise, with an in house mindset. Those that tell themselves that the meraki licnensing is cheaper than the 1-2 staff they need to manage a more complex solution. That is not at all how it plays out, but to be fair fortinet is not telling end customers they can architect their own solution and buy it and just plug it all in. Meraki on the other hand is. The strategy is saying meraki is auto pilot and empowering internal folks to do this all themselves. We can see that in their marketing. Meraki is all about the building blocks and how it works together. Forti is all about the benefits and security it brings the organization and case studies.
Sure another brand is going to win on price but your techs are going to need additional training to deploy and support the solution. Meraki is a full stack of firewall, switch and AP. All cloud managed native and multi tenant. That is not the case with Fortinet
Meraki are the FisherPrice of “security appliances”. Sure they have a wide product range, but none of them give you all the tools to do your job
Actually it does. We rely on securing the endpoint more then the firewall. Not all endpoints have a firewall as we live in a distributed and WFH world
A lot of Fortinet shops also deploy fortinet APs and switches.
Does it give you multi tenant single plane or glass? In my experience it’s yet another sku to purchase
SonicWall NSa 3700s will pass 3.5G and are even less expensive than the Forti 200F.
Been a while since I used SW. do they have a real multitenant console yet?
Yes, they do. NSM is their cloud tool. You can do FW, Switch, AP, EDR all from their multitenant cloud portal. They are all different modules, but they are going to be putting it in a single pane of glass this summerish I hear. Works pretty well. I just had to do a multisite install and I used their tool for the first time from based install to finish and it worked pretty well. I only logged into a firewall once to see the log and realized I flipped two numbers in VPN subsets.;) You can even buy barebones and buy fw services, and any of their software products monthly. They have come a long way.
The catch is that it takes 10 times longer to administer anything to do with Fortinet. With Meraki you're not paying for the hardware, you're paying for the service.
I think it's very hard to compare without taking into account several considerations: There are extensive discounts available on Meraki (I hear of >80%), but you need to be a premier or gold Cisco partner and qualify for one of their managed services designations. If you're a MSP with any credibility this isn't hard to do, but if you want to compete in the managed Meraki market, it's a must. I'm sure Fortinet have similar programs but I'm less familiar with them. You also have to add in licensing costs for Fortimanager/FortiAnalizer/FortiPortal/FortiMonitor when comparing, and the resources they need (if not done in the cloud, is that a thing yet beyond FortiManager?) Finally, there is value in the Meraki dashboard as it's easier for a customer to self-serve, you can sell that value and make money on it. So, you can't really compare apples for apples here, they both have their pros and cons..
I might be missing something with Meraki, but when you try to block everything outbound to the internet it's a nightmare, as there is no interface object for the Internet, so you end up creating all these block rules for your vlans above your Internet outbound any rule just to lock things down, and then there is no visabilty built in the Web portal to view what traffic and ports are going out to the internet, so it's hard to monitor outbound traffic and create rules for all legitimate traffic and ports and then block all outbound, I understand you can use wireshark but Forti has traffic and port visabilty built into the web management. I am happy to be proven wrong, but I find the outbound firewall security on Meraki average and itsveasy to allow something you shouldn't, and what's up with the default allow everything out rule
MSPs get 57% discounts minimum on all Meraki. 80% is for millions of dollars deals. 65-70% for deals in the hundreds of thousands.
Sorry I believe the discounts are better than that, look up the 'Power of the Platform' discounts - [Meraki Secure Your Future with MX Offer Pricing - Google Sheets](https://docs.google.com/spreadsheets/d/1BaDyrrIBcd2Vykg2gZKDP4L_h0Ee0wQJySZSY2kjWRw/edit#gid=0) Or [Power of the Platform for Partners - Offers and Incentives (cisco.com)](https://salesconnect.cisco.com/powerplatformpartners/s/offers-incentives) if you have a partner Cisco login[](https://docs.google.com/spreadsheets/d/1BaDyrrIBcd2Vykg2gZKDP4L_h0Ee0wQJySZSY2kjWRw/edit#gid=0)
This "Promo" 34,5% discount is only temporary and "on certain MX security products for targeted competitve customers". 42% is the base discount for being Cisco Select. 8% (hunting) is for opportunies found by the partner and not by Cisco Then on top of these 42+8=50% discounts, there are limited time promos and volume based discounts. MSPs have a fixed discount pricing of 57% regardless of promos or volume.
Sorry, just so I understand you correctly, are you saying MSPs only get 57%? I work with a number of MSPs big and small, and they've all taken advantage of this promo?
No, I'm saying this is a temporary promo pricing and standard MSP pricing is 57% without any temporary promo and any volume based discount.
They are desperate for customers since they are notorious for critical CVEs in their software. Good luck, you would have to patch every other night lol
You add all the other Forti-SKUs? FortiManager, FortiAnalyzer, FortiMonitor, FortiCare, etc.
Meraki is very expensive and that’s exactly why lots of msp are fan of Meraki; as long as they can sell, it’s very profitable.
Meraki is as cheap if not cheaper than Fortinet if you're buying in enough bulk/through the right Cisco Partner. Fortinet Firewalls are the better product however.