April 2015 Gartner Magic Quadrant for Enterprise Network Firewalls

The latest Gartner report is out today and it makes very interesting reading.

Both Check Point and Palo Alto are clear leaders as you can see below

Screen Shot 2015-04-24 at 11.24.21









There are some interesting observations. First of all. The gap between the three ‘tiers’ of vendors is now huge. Fortinet and Cisco are the middle tier and the ‘others’ way behind. ITogether sell the Barracuda, F5, Juniper, McAfee and Sophos products. Most of our sales are Check Point and Palo then Cisco. We don’t sell Fortinet. Interestingly Meraki is missing from the analysis. We sell Meraki firewalls.

Comments reproduced from the report on each of the major vendors include

Check Point Software Technologies is co-headquartered in Tel Aviv, Israel, and San Carlos, California. Its portfolio includes next-generation firewalls, threat prevention, Web security, endpoint, mobile security, cloud security and distributed denial of service (DDoS) solutions. Check Point’s enterprise firewall product line includes 17 appliances and two chassis for hardware blades, scaling up to 400 Gbps. It can also be delivered as a virtual appliance, deployed on VMware, Amazon Web Services (AWS), OpenStack and Microsoft Azure, or delivered as software. Check Point firewall capabilities can be expanded by predefined packages of additional software blades. Customers can supplement Check Point’s firewall with an advanced threat offering (Check Point Threat Cloud), and can add additional threat intelligence feeds from third parties (Check Point Intellistore) and integrate Check Point’s firewall with its Mobile Security suite to enforce security policy for mobile users (using Check Point Capsule).

Gartner assesses Check Point Software as a Leader for enterprise firewalls because a good score during technical evaluation continually drives new client wins and contributes to retaining a large portion of its existing customer base. Check Point also shows strong execution on its enterprise-focused roadmap to deliver features targeting the various firewall placement use cases for enterprises.

  • Check Point has one of the largest existing enterprise client bases and continues to appear frequently on final shortlists for enterprise firewall selection. It is able to support these clients globally with a strong channel presence and a significant internal team devoted to firewall feature development.
  • Its comprehensive product portfolio allows Check Point to be deployed in a variety of enterprise use cases. The new chassis solutions further expand Check Point’s ability to scale to the largest data centers and to adapt to their future growth requirements.
  • Check Point firewalls consistently get high scores from clients on security and ease of management in complex environments. It continues to invest in its management suite, with several features in the R80 version intended to improve the auditability and manageability of the security policy, and it has finally merged the network and application components in a unified policy.
  • Gartner believes that Check Point’s strategy to support VMware NSX, OpenStack and Cisco Application Centric Infrastructure (ACI) is a good signal for clients considering Check Point security solutions when they evaluate software-defined network (SDN) projects.
  • Price is the most common factor invoked by Gartner clients to introduce competition for Check Point solutions at renewal time or as a reason to favor competition during shortlists. Gartner analysts noticed that hardware platforms submitted in reseller proposals tend to be more tightly sized, and see it as a tactic to control total costs. In a few reported client situations, undersizing was a clear reason for performance issues, and caused unnecessary back-and-forth discussion to get the adequate model.
  • In 2014, Gartner observed a higher than usual number of clients reporting stability issues with Check Point solutions, and unexpected long resolution time. This peaked in 2Q14, then plateaued at a lower lever during the second half of the year. Gartner analysts observed that many of these incidents involved clusters of new hardware platforms running the first versions of the unified GAiA OS, with the situation improving as Check Point simplified the number of supported legacy versions.
  • Check Point customers are often slow to adopt new software options like its threat emulation software blade. Gartner believes that reasons include insufficient results of marketing operations to support the launch of these options, as well as the fact that Check Point clients are not willing to subscribe to additional software options after the initial sizing, in fear of performance issues. This increases the time for these new options to become mature, as they benefit from a lower amount of client feedback.

San Jose, California-based Cisco has a broad network security product portfolio across firewall/IPS, Web security and email security tiers. The firewall offering is primarily via the Adaptive Security Appliance (ASA) brand that includes an IPS released in 2014. ASA with FirePOWER services is the ASA with the Sourcefire IPS Advanced Malware Protection (AMP) and application visibility and control added in. Cisco’s virtual firewalling lines, the ASAv and the VSG, require the presence of the Nexus 1000v virtual switch.

For a while, Cisco will have two primary console offerings. First, the Adaptive Security Device Manager (ASDM) can function as an on-the-device single-instance manager. In addition, the combination of FireSIGHT — which manages the IPS function for ASA with FirePOWER services — and Cisco Security Manager — which manages the ASA firewall — is the alternative for ASA with FirePOWER services. Gartner expects that Cisco will unite the Cisco management console in the short term.

Before the introduction of ASA with FirePOWER services, Gartner saw Cisco winning firewall procurements mostly through sales/channel execution or aggressive discounting for large Cisco networks customers. With the introduction of ASA with FirePOWER services in September 2014, Cisco became more able to compete in the NGFW field

Cisco is assessed as a Challenger for enterprises. Gartner did not see it displacing Leaders based on vision or features, and we rarely saw Cisco release firewall innovations that caused Leaders to react.

  • The Enterprise License Agreement (ELA) for security software and hardware adds value for Cisco security customers that are undertaking multiyear deployments and wish to maintain a timetable and product flexibility.
  • Gartner clients consistently rate the Cisco support network as excellent, and it is the most-often-cited reason for loyalty to Cisco security products. The vendor has strong channels, broad geographic support and wide availability of other security products. Surveyed Cisco firewall clients consistently ranked the availability and presence of other products from Cisco within their networks as the most important factor in their selection of the vendor.
  • Cisco offers a wide choice in firewall platforms. The primary offering is the stand-alone firewall ASA, but firewalls are also available via the Firewall Services Module blade for 6500 and 7600 series switches, on Cisco’s ASA for virtual data center and cloud environments, and on Cisco’s Internetwork Operating System (IOS)-based Integrated Services Router. Gartner views the Platform Exchange Grid (pxGrid) initiative to allow third-party components onto the ASA as the most promising development in the Cisco firewall roadmap.
  • The integration of reputation features across Cisco security products is a strength. The rich context provided by the FirePOWER services integration adds to this advantage.
  • The inclusion of Sourcefire IPS within ASA has improved the quality of the ASA IPS and application control.
  • Gartner clients select Cisco firewall products more often when security offerings are added to a Cisco infrastructure, rather than when there is a shortlist with competing firewall appliances. In the survey sent to vendors, Cisco’s product was the second most frequently listed as the one vendors claimed to replace the most; however, it was also listed this year as No. 2 in the vendor list of perceived competitive threats.
  • Cisco’s security console offerings consistently score low versus competitors in assessments conducted by Gartner clients. However, Gartner believes that moving completely to the Sourcefire FireSIGHT will bring improvements.
  • Cisco scored lower than most competitors in a Gartner survey of users for overall client satisfaction.
  • Cisco ASA has a firewall console integration of a local sandbox-based advanced targeted attack (ATA) cloud instance or appliance through Advanced Malware Protection (AMP); however, Gartner clients choose AMP not for its undifferentiated sandboxing capability, but for other ATA detection strengths. Cisco can improve its ATA-associated sandboxing if it integrates its 2014 acquisition of ThreatGRID.

Palo Alto Networks is a California-based pure-play network security company that has been shipping enterprise firewalls since 2007. Palo Alto Networks is known mostly for its innovations in application control and for improving integrated IPS in firewalls. The firewall product line includes 18 models, with a maximum throughput of 120 Gbps for the PA-7050, released in 2014. With the acquisition of Cyvera (rebranded as Traps), Palo Alto Networks now offers a second endpoint product, in addition to the existing GlobalProtect. Palo Alto’s cloud-based network sandbox service, WildFire, saw high attach rates for new and existing customers in 2014. Palo Alto’s work with VMware NSX has provided customers another option for placing Palo Alto products in virtualized data centers.

Palo Alto Networks is assessed as a Leader, mostly because of its NGFW focus, and because of its consistent visibility in Gartner shortlists for advanced firewalls use cases, frequently beating competition on feature quality.

  • Gartner clients consistently rate the Palo Alto Networks App-ID and IPS higher than competitors’ offerings for ease of use and quality.
  • The firewall and IPS are closely integrated, with App-ID implemented within the firewall and throughout the inspection stream. This “single pass” is assessed as a design advantage by Gartner clients, as opposed to the unnecessary inspection that can occur in competing products that process traffic in serial order.
  • Palo Alto Networks was consistently on most NGFW competitive shortlists seen by Gartner, and in the survey to vendors, it was most mentioned as the strongest competitor with which these vendors compete.
  • The roadmap focus on VMware NSX displays strong leadership toward solving clients’ future problems. Palo Alto shifted focus correctly to east-west segmentation rather than whole data center firewall virtualization.
  • The WildFire advanced threat appliance and cloud service are popular add-ons with new and incumbent Palo Alto Networks firewall customers, giving them an option versus third-party advanced threat appliance solutions.
  • Gartner clients report Palo Alto Networks’ direct sales and resellers being overly optimistic about the performance impact of turning on antivirus (that is, Web anti-malware), and conflating antivirus with IPS and/or other features, or claiming a 0% performance impact when enabling the antivirus (AV) function, which is not credible with customers. Gartner believes that this approach has eroded customer trust in the Palo Alto Networks brand.
  • Gartner does not see Palo Alto reproducing its firewall success in its attempt to enter the endpoint market. Gartner considers Palo Alto’s entry into the endpoint market as a high risk move that could dilute company attention into a nonadjacent market and could alienate the network security buying center. The endpoint should be addressed through a third-party ecosystem or pushed stronger as an independent effort.
  • The company must develop a better third-party product support ecosystem.
  • Like other vendors with leading products, Palo Alto Networks is challenged to win selections in which price is weighted more than security features, as in Type C enterprises (see Note 1). It also does not offer the smaller appliances that competitors position in distributed enterprise deals.
  • The clients we interviewed would like to see better log handling at scale. Also, the client complaints we receive regarding Palo Alto Networks usually relate to management console issues at scale, or anecdotes of channel partner shortcomings.
This entry was posted in News and Updates, Opinion. Bookmark the permalink.

Leave a Reply