This might surprise you coming from a Fortinet MSSP partner who sells and manages FortiGates every single day.
But I’ve told clients not to buy Fortinet. More than once. And I’ll do it again.
Here’s when.
When Your Team Has Deep Palo Alto Experience
I’ve seen this play out too many times: a CISO arrives from an organisation that ran Palo Alto, loves Panorama, knows the CLI intimately. They join a new company that’s considering Fortinet because of the price-to-performance ratio. The logical choice on paper turns into a training nightmare because the team has 15 years of PAN-OS muscle memory.
The firewall is only as good as the team managing it. If your team knows Palo Alto cold and FortiGate warm, you’re better off buying Palo Alto—even if it costs more per Mbps. The operational cost of retraining, mistakes, and slower incident response will eat the hardware savings. I’ve seen it happen.
When You Need a Truly Multi-Vendor Strategy and Can’t Pick One
Some enterprises—especially very large ones—have legitimate reasons to run multiple firewall vendors. Acquisitions. Regional compliance requirements. Geopolitical supply chain concerns. If your architecture genuinely requires three vendors, don’t let a partner talk you into standardising on one before you’re ready.
But be honest with yourself: is it a genuine requirement, or is it “we’ve always done it this way”? I’ve seen data centres running three firewall vendors because nobody had the courage to pick one and standardise. That’s not multi-vendor strategy. That’s indecision with a hardware budget.
When You’re Buying Firewalls Without a Managed Service
A FortiGate 600F sitting in a rack with default settings, unpatched firmware, and no active monitoring is not security. It’s a very expensive paperweight. If your organisation doesn’t have the team to configure, tune, monitor, and maintain a Fortinet deployment, buying it is worse than buying nothing—because you’ll have a false sense of security that won’t survive its first real test.
My honest advice in this scenario: either build the team first (hire a senior Fortinet engineer, budget for FortiManager, plan the training), or buy a managed service from someone who already has the team. Don’t buy the hardware and hope the expertise materialises.
When You Want a “Set and Forget” Firewall
No firewall is set-and-forget. Not Fortinet. Not Palo Alto. Not Cisco. Not anyone. But some vendors do a better job of surfacing what needs attention. If your team doesn’t have the bandwidth to manage a security relationship with the vendor—firmware updates, rule reviews, threat feed tuning, SSL certificate management—Fortinet’s ecosystem won’t save you.
In that case, I’d recommend a fully managed firewall service rather than a product purchase. The product is not the solution. The operations around the product are the solution.
The Honest Truth
I’m a Fortinet partner because I genuinely believe their hardware is the best price-to-performance in the market. I’ve deployed over a thousand of them. I know what they do well (a lot) and where they have gaps (a few—every vendor does).
But the best firewall for you is the one your team can manage effectively, consistently, and securely. If that’s Fortinet, great—I’ll help you get the most out of it. If it’s Palo Alto, I’ll help you get the most out of that too. If it’s Sophos, I’ll say “interesting choice” and then help you make it work.
Trust in cybersecurity is built on honesty. And the most honest thing I can say is: I’d rather you buy the right firewall from someone else than the wrong firewall from me.
Sanjay Seth, CEO of P J Networks. We’re a Fortinet MSSP partner, but we’ve deployed and managed every major firewall brand. If you want an honest conversation about what fits your environment, talk to us.