We are a Cisco shop with ranging from 2 9600s as core, 9500s as distributions and around 80-90 Access layers. 2 X ASA 5516 for L2L VPN and RA VPN, Cisco collaboration and Cisco CM managing all Cisco phones and FX devices, DNAC, ISE, etc. Seems to be my long journey with 2X Firepower 2110 in HA is coming to an end after 7 years in production and acting as a IPS/IDS, URL filtering and App filtering edge firewall. It has served me well and it's time to move on as I see no foreseeable future for it as in these years I have seen no innovations or fixing the underlying issues. Cisco surely is spending millions on their UI design to look more pretty and making it more accessible to end users, I'' give them that for sure.

Of in these 6-7 years I have reported around 50 bugs to Cisco to which for my surprise most of them were let down saying oh we will fix that in next release (which is almost 6-7 months if not an year). So god forbid, if you come across a critical bug which I have couple times you will be turned around saying we will fix that in next release but here is a workaround to shove it in your butt which will create more problems in your life which you haven't had already.

What I like about Firepower and what I don't:

Likes:

- I love the ease of it integrating so easily with other Cisco products (which we already have).

- Like the layout of the UI with recent introduction of unified events which makes things easier for me to drill down to a specific event.

- I Like the Snort 3, I have yet to see a more powerful IPS in this price point.

- Updates and upgrades are a breeze, when I update I can just leave at that point and go to bed knowing that when I come back tomorrow the firewall would have upgraded successfully and be ready.

Do not like:

- The headache that comes with bugs specially the critical ones which hamper the overall functionality for the customer.

- Problems with TAC (although sometimes), if there is something that doesn't work they'll ask if it's a production down and as soon as you say no then case get's downvoted to P3 or P4 case and then you are on mercy if you get a reply on time. They other day I had an issues with SSL decryption and the case was downvoted to P4 and engineer didn't reached out for 2 days and I had to disable the decryption altogether temporarily which is a risk that I have to bear.

- URL and App filter is a hit or miss with Firepower sometimes.

- For Domain authentication where you set a rule that only if a machine is in domain will get access to internet and resources you will have to deploy ISE or ISE-PIC (cut down version of ISE) yes you heard it right, you'll have to deploy a VM and manage that too.

- Not to mention the licensing which has been a trend nowadays for hating Cisco. I have to license both Firepowers (running in HA) to make use of anything be it URL filtering, IPS, App filtering, etc.

I am looking at pair of Palo Alto 3410 or 3420 or pair of Fortinet Fortigate 400F. Which do you thing suits my needs best?

With Fortinet the hardware License is as cheap as renewing my contract licenses with Cisco.

With Palo Alto, I do not have to pay subscription for 2 devices, I can just get a HA license and that's it.

I just need a firewall that has a great visibility, does the inline IPS well and has a good APP ID/URL and of course less bugs than Cisco.