How do I size a firewall for my office?

Take your symmetric internet bandwidth (e.g. 1 Gbps) and multiply by 1.5 to allow for SSL inspection overhead. Match to the vendor's "threat-prevention throughput" number, not the marketing "firewall throughput". Servnet runs a free sizing review against your actual traffic profile.

Are list prices what we actually pay?

No. UK enterprise deals routinely close at 30-50% off list. Subscription bundles (FortiGuard, Palo Alto Advanced Threat Prevention, Cisco Smart Net) have less flex but still negotiate. Servnet handles the commercial work — you see the net price.

How long does a firewall migration take?

Branch migrations: 1-2 weeks per site including testing. Data centre cores: 4-8 weeks including parallel-run period. Multi-vendor migrations (e.g. Cisco ASA → FortiGate) need policy translation that adds 2-4 weeks up front. See our Cisco ASA migration playbook.

Can you handle the cutover during a maintenance window?

Yes — Servnet engineers do firewall cutovers as scheduled change work, typically Friday evening or Sunday morning. We pre-stage configs, run parallel for 1-2 weeks where the network allows, then cutover during a defined window with rollback ready.

Is FortiGate or Palo Alto more secure?

Both score in the top tier of independent CyberRatings / NSS testing. Palo Alto has a slight edge on novel-threat detection; FortiGate has a slight edge on operational simplicity + cost per protected Gbps. The "more secure" answer depends on whether your team can operate the more complex platform effectively.

Should I consolidate firewall and SD-WAN on one platform?

For mid-market multi-site UK organisations: yes, usually FortiGate. Single platform = single management plane + lower TCO. For large enterprises with established Cisco SD-WAN or where SD-WAN was selected first, keep them separate. See our SD-WAN comparison.

Best firewall UK 2026: FortiGate vs Palo Alto vs Cisco Firepower vs Juniper SRX

Most UK firewall RFPs land on the same shortlist: FortiGate, Palo Alto, Cisco Firepower, Juniper SRX. They all do NGFW + IPS + SSL inspection + ZTNA + SD-WAN. The differences that matter aren't feature checkboxes — they're operational fit, total cost over 5 years, and which vendor's console your team already knows. This is the honest UK partner read.

FortiGate · Palo Alto · Cisco Firepower — UK NGFW shortlist

The short answer first

FortiGate is the safe default for UK mid-market — best price-performance per Gbps, deepest SD-WAN integration, and the broadest UK skills market. If you don't have a strong reason to pick differently, FortiGate wins.

Palo Alto is the right call for security-mature enterprises. App-ID, single-pass architecture, and Strata Cloud Manager are best-in-class — but you pay for it on every Gbps and every subscription year.

Cisco Firepower is the right call if you have a meaningful Cisco estate (Catalyst, Meraki, Catalyst SD-WAN, ISE). Single vendor relationship, single TAC, Cisco DNA Center integration. The firewall itself is competent rather than category-leading.

Juniper SRX is the right call when Junos OS expertise is on your team or when you need service-provider scale (SRX5800 class). Underrated in the UK enterprise market but excellent at what it does.

How they actually compare on price-performance

A typical 1 Gbps inspected throughput requirement — the kind a 100-200 user UK office actually needs — sizes to: FortiGate 100F / 200F (around £2-4k hardware + UTM bundle), Palo Alto PA-460 (£6-9k + subscription), Cisco Firepower 1140 (£5-7k + Smart Net), Juniper SRX340/345 (£3-5k). 5-year TCO including subs typically puts FortiGate 30-40% below Palo Alto and Cisco for equivalent throughput.

At the data centre tier — 10-40 Gbps inspected — the gap narrows. FortiGate 1000F/1800F (£15-30k), Palo Alto PA-5220/5260 (£40-70k), Cisco Firepower 4110 (£35-50k), Juniper SRX4200/4600 (£20-35k). Operational fit matters more than the hardware delta at this size.

Where FortiGate wins

SD-WAN. FortiGate Secure SD-WAN is built into FortiOS — no separate licence, no additional appliance. For multi-site UK retail, manufacturing or services orgs, this is a £20-40k/year saving over a separate SD-WAN platform.

Skills market. There are more NSE-certified engineers in the UK than any other vendor. Easier to hire, easier to outsource, easier to bring in cover during a P1.

Bundle simplicity. The UTM Bundle (FortiCare + FortiGuard) is a single line item that covers everything most customers want. Compare to Palo Alto where Threat Prevention, URL Filtering, WildFire, DNS Security and Advanced Threat Prevention are all separate SKUs.

Where Palo Alto wins

App-ID. Palo Alto identifies applications by signature, decryption and heuristics — not just port + IP. For an org where the policy reads "block Tor; allow Office 365; throttle Dropbox", this gets to a clean policy faster than anyone else.

Threat-prevention quality. Independent NSS / CyberRatings testing has Palo Alto consistently in the top 2 for block rate / false-positive ratio. If your CISO has a strong preference for a specific vendor, it's usually Palo Alto.

Strata Cloud Manager. The cloud-native management plane is the cleanest in the category. For multi-site operators with 50+ firewalls, this is genuinely a productivity gain.

5-year TCO — 1 Gbps NGFW pair (HA) + UTM

Where Cisco Firepower wins

Cisco-shop alignment. If your switches are Catalyst, your APs are Meraki, your SD-WAN is Catalyst SD-WAN, your AAA is ISE, and you have Cisco Smart Net everywhere — Firepower keeps the relationship single-vendor and pricing slightly preferential through enterprise agreements.

Firepower Management Center (FMC). Mature centralised policy + logging. Familiar to teams who already use Cisco Defense Orchestrator or Stealthwatch.

TAC. Cisco TAC is industry-best. P1 hardware failures get a senior engineer in minutes, not hours. For risk-averse industries (banking, public sector) this matters.

Where Juniper SRX wins

Junos OS. If your team already runs Junos on routing / switching, the same CLI + commit / rollback semantics on the firewall is a real productivity win.

Service-provider scale. SRX5400/5600/5800 chassis class is a legitimate competitor to Palo Alto PA-7000 series at meaningfully lower price. ISPs, MSSPs, and large enterprise carrier networks use SRX heavily.

Per-tenant logical-systems on a single chassis (analogous to PA vsys) is mature and licensed cleanly.

What Servnet does

Servnet is an authorised UK partner of all four. We sell, deploy, manage and migrate between them — and because we're vendor-neutral, we recommend the right fit not the highest-margin SKU.

A typical firewall selection engagement runs: 1) scoping workshop (1-2 weeks) covering current estate + threat model + ops capacity, 2) shortlist + commercial modelling (1 week), 3) optional PoV in a controlled environment (2-3 weeks), 4) deployment + cutover (varies by scale).