This might surprise you coming from a Fortinet MSSP partner who sells and manages FortiGates every single day.

But I have told clients not to buy Fortinet. More than once. And I will do it again.

Here is when.

When Your Team Has Deep Palo Alto Experience

I have seen this play out too many times: a CISO arrives from an organisation that ran Palo Alto. They join a new company considering Fortinet. The logical choice on paper turns into a training nightmare because the team has 15 years of PAN-OS muscle memory.

The firewall is only as good as the team managing it. If your team knows Palo Alto cold and FortiGate warm, you are better off buying Palo Alto—even if it costs more per Mbps. I have seen an enterprise spend ₹18 lakh on FortiGates and then burn ₹25 lakh in overtime while the team struggled to migrate rulebases. This is a common FortiGate vs Palo Alto dynamic: hardware benchmarks favour Fortinet, operational familiarity favours Palo Alto. Pick the one your team can operate at 3 AM.

When You Need a Truly Multi-Vendor Strategy and Cannot Pick One

Some enterprises—especially very large banks and telecoms—have legitimate reasons to run multiple firewall vendors. Acquisitions bring inherited estates. Regional compliance requirements mandate specific vendors. Geopolitical supply chain concerns make single-vendor dependency a risk. If your architecture genuinely requires three vendors, do not let a partner talk you into standardising on one before you are ready.

But be honest: is it a genuine requirement, or is it “we have always done it this way”? I have seen data centres running three firewall vendors because nobody had the courage to standardise. That triples the training load, management platform cost, and surface area for configuration drift. If you need Fortinet alternatives in specific regions, run those through a proper TCO analysis first.

When You Are Buying Firewalls Without a Managed Service

A FortiGate 600F sitting in a rack with default settings, unpatched firmware, and no active monitoring is not security. It is a very expensive paperweight. If your organisation does not have the team to configure, tune, monitor, and maintain a Fortinet deployment, buying it is worse than buying nothing—because you will have a false sense of security that will not survive its first real test. I have seen this exact scenario: a mid-market company bought two 400F units, deployed them with a default permit-all rule structure, and never touched them again. When a ransomware incident hit six months later, the firewall had logged the C2 beacon traffic—but nobody had looked at the logs because there was no monitoring, no SIEM integration, no rule review cadence.

My honest advice in this scenario: either build the team first (hire a senior Fortinet engineer, budget for FortiManager, plan the training programme), or buy a managed service from someone who already has the team. Do not buy the hardware and hope the expertise materialises. This is not a knock against Fortinet. It applies equally to every firewall vendor on the market.

When You Want a “Set and Forget” Firewall

No firewall is set-and-forget. Not Fortinet. Not Palo Alto. Not Cisco. Not anyone. But some vendors do a better job of surfacing what needs attention in a way that matches your team’s skill level. If your team does not have the bandwidth to manage a security relationship with the vendor—quarterly firmware updates, monthly rule reviews, weekly threat feed tuning, SSL certificate lifecycle management—Fortinet’s ecosystem will not save you.

In that case, I would recommend a fully managed firewall service rather than a product purchase. The product is not the solution. The operations around the product are the solution. An MSSP recommendation that leads with “buy this hardware” without checking your operational readiness is not a recommendation—it is a sales pitch. I avoid those.

When Your Compliance Requirements Favour a Different Ecosystem

Certain regulated industries have compliance frameworks that map more cleanly to specific vendors. Healthcare organisations in the US often prefer Palo Alto for its HIPAA compliance documentation. Indian banks with their specific CERT-In reporting requirements sometimes find that a particular vendor’s logging and reporting module maps better to the audit framework. If your compliance auditor has strong opinions about which vendor makes their job easier, that is a real factor. Do not ignore it because of a price advantage on hardware.

I have told clients: “Fortinet can meet these requirements, but it will take more config work. Palo Alto has a pre-built compliance dashboard. You will pay more per unit but spend less time in audit.” Some chose Fortinet and made it work. Some switched. Both were right for their context.

When Budget Is the Only Reason You Are Choosing Fortinet

Fortinet is cheaper per Mbps than Palo Alto. But if the only reason is price, you have not done the full analysis. TCO includes training, management licensing, support contracts, and the cost of a less familiar interface during a crisis. I have seen procurement teams claim “Fortinet is 40% cheaper” without accounting for FortiManager, FortiAnalyzer, FortiCare, and training. The real gap was closer to 15%.

The Honest Truth

I am a Fortinet partner because I genuinely believe their hardware is the best price-to-performance in the market. I have deployed over a thousand of them. I know what they do well (a lot) and where they have gaps (a few—every vendor has them). When I make an honest firewall advice recommendation, I start with the team, the operations, and the compliance requirements—and only then look at the hardware.

But the best firewall for you is the one your team can manage effectively, consistently, and securely. If that is Fortinet, great—I will help you get the most out of it. If it is Palo Alto, I will help you get the most out of that too. If it is Sophos, I will raise an eyebrow and then help you make it work.

Trust in cybersecurity is built on honesty. And the most honest thing I can say is: I would rather you buy the right firewall from someone else than the wrong firewall from me.

Sanjay Seth, CEO of P J Networks. We are a Fortinet MSSP partner, but we have deployed and managed every major firewall brand. If you want an honest conversation about what fits your environment, talk to us.