Forescout Platform Reviews

We needed some protection in our environment. We use this product in some areas in our network to monitor the security of the endpoints of our users. 

The environment was easy to configure. 

The user management has been very easy for the most part.

The initial setup is pretty easy.

Technical support has been very helpful.

The stability overall is good.

The licensing costs are quite high. With the amount of hardware we have, we need too many licenses to make the product effective and it's ultimately just too costly.

We may have some problems with compatibility - specifically with Cisco switches. We have the perimeter a Check Point firewall as an alarm for VPN connections. We have users integrating the VPN Check Point with Forescout. We can't seem to scale due to compatibility issues and price.

We have been working with the solution for around two years. It hasn't been that long. That said, we are moving away from the solution.

Overall, the stability of the product has been very good. It doesn't crash or freeze. There aren't bugs or glitches. It's been set up very well. We've found it to be reliable and the performance is good.

Our issue, in terms of scalability, is that we have a brittle machine. We struggled to get the licenses loaded. We would need to change the machine in order to develop a certain level of scalability capabilities.

At the moment, we have about 100 users on the solution, however, we require more licenses. Our goal was 1000 users on devices, however, it wasn't possible. The economics were against us.

While I have never personally opened a case with technical support in the past, my colleague has. He found them to be very responsive and helpful. He was satisfied with their level of service.

We did not previously use a different solution. Forescout was our first.

We are just now migrating to Cisco ISE. The problem is that we have around 500 users and we have only 100 licenses from Forescout due to the fact that it is a little expensive for us. We are trying instead to move to Cisco ISE, which has better pricing.

The initial setup was not complex. It was pretty easy. Installation maybe takes one or two days, and the implementation in total takes around two weeks.

We have a partner from Forescout in my country. He came to my company to meet with us. He helped explain a few things and assisted with network displays. 

There were about eight people that handled deployment between our end and the technical support side.

A Forescout representative ultimately came to our company for us. They assisted a little. They understood the cloud very well and were very helpful.

The licenses are quite expensive. Ultimately, we couldn't afford the amount we needed, and therefore we are moving off the product.

We might have paid in the ballpark of $20,000 yearly for our licenses. I do not recall there being other fees over and above the standard licensing fee.

We evaluated Cisco. The difference is the compatibility with our network. Other switches are Cisco devices, and therefore the compatibility and the integration were a little easier. With Forescout we have had some issues with some other access points. With Cisco ISE, we don't have that problem.

I do not recall which version of the solution we are using. We use the on-premises deployment model, however, we also have some clients on the cloud.

I would advise other organizations that, if they have multi-vendors in their network, use Forescout. However, if most of the devices are Cisco, it is best to use Cisco ISE.

It is a great tool and solution. We looked into it with the Magic Quadrant of Gartner and we have seen that it is a leader in the space. However, for us, it just doesn't work as well in terms of compatibility.

I'd recommend the solution. I would rate it at an eight out of ten.

It provides us with visibility into what's connected to our network, such as contractors, mobile devices, and whether they're a part of our corporate asset list or not.

We use it to prevent malicious activities on our network that potentially infiltrate it. We've been able to take out over twenty percent of our threats connected into our environment that we just never had a means to stop from connecting up to our network.

We've discovered regular assets. Let's say you had a mobile device, you walked into our network, and you said "hey, I need to connect up to the network. I'm a contractor here for you all and I'm going to add in one device". You immediately now have access into our environment.

It needs easier integration to other partners that automate functions within the security phase. There's no difference because you're not going to be able to fill the places fast enough for all these security people. So how do you get it to be able to manage more with less people by automating some of the functions? So when, for instance, NetScout discovers something and installs a ticketing system instead of sending an alert to a person, it automatically opens a ticket with the appropriate levels and automates that stuff.

We've had no issues with deployment.

It has been stable. The benefit wasn't around stability, it was more around preventing instability. What we were fearful about is whether or not customers would get impacted by the restriction of them not being able to connect to the network.

For instance: you're an employee, your laptop was part of our asset, but your phone was not and your tablet was not. All of the sudden, now all three of those devices were all connected into environment. Well, I only want your laptop to be connected. Your mobile devices, I really don't care to because when you go, you surf wherever you want on your stuff. You could probably pull up malware and then plug it in as soon as you put in your credentials into our network. So we want to keep that one off and allow you to connect to the network but connect to the internet, but not to my infrastructure.

We haven't scaled it all the way up, but we started to pilot, grew it to a couple of floors, and then grew it to an entire building.

I've never had to use it.

My understanding is that it was complex simply because my mandate is to zero-in back to the user.

We did look at multiple partners and we ended up with ForeScout.

Definitely use it. It's a good protection tool.

We're Forescout partners and offer this as a solution to our clients.

The solution's most valuable aspects are its network visibility and its ability to extend into other solutions for integration purposes. 

The initial setup is quite simple. It's not too complex or difficult to set up.

The solution needs more definitive pricing. The costs are hard to nail down.

I've been using the solution for less than two years. It's been one and a half years at this point. It hasn't been too long.

The solution is stable. It's very reliable. There aren't bugs or glitches. It doesn't crash.

The solution is scalable. If an organization needs to expand it out, they are able to fairly easily.

We tend to use this solution for different sized companies in various markets.

Technical support is great. We find them to be quite knowledgeable and responsive. We're very satisfied with the level of support we receive.

The initial setup is not complex at all. It's straightforward. It's pretty easy to manage.

We implement and deploy the solution for our clients.

The pricing is very important in Sri Lanka. We're sensitive to pricing. We'd like it if the solution was more clear on their pricing and if they were able to lower it.

We try to always use the latest version of the solution.

We're a partner. We use various deployment models, depending on the company we are implementing the solution for. We use both cloud and on-premises deployment models.

I'd recommend the solution to other users and companies. We've been quite pleased with the solution so far.

The customers seem to be very happy with the product as a whole. It's just the pricing that worries everyone. There's the competition to consider. If others can offer better pricing, I believe we would probably consider deploying it instead.

That said, overall, I'd rate the solution nine out of ten.

My company is in the financial services industry. The primary use case is Network Access Control and control endpoint access to network. The environment is used to process sensitive data. We want to ensure that rogue devices and unauthorized devices are unable to join the network. This will reduce our exposure to attacks.

It has helped with improving our security posture in terms of controlling the access of rogue devices into our network through identification. We have been able to prevent rogue device activities on the network, check the health of the system, and ensure remediation. 

It has provided visibility into the workings of our routers and switches. We also extended this capability to our branch offices through a WAN connection.

Access control: Being able to set policies that determine how devices join our network and how they are expected to behave while on the network. The fact that we are able to access the hygiene of our endpoint and monitor it continuously makes it fit for purpose.

I would advise Forescout through their research and development to look for features that they can add. Also, based on the what other competition may be selling, if they find any useful feature, they should add those to their product.

The last three months.

It is stable and reliable.

It is a good product that is fit for purpose.

Fantastic

No.

The initial setup is a bit complex.

Not applicable.

The setup cost, pricing, and licensing are on the high side.

No. I heard of Forescout, then went ahead and bought it.

As a university, we have used ForeScout to help us get a hold on student computers and their infections, and to keep those infected systems off our network. We are also currently using ForeScout as a mechanism to allow us to automatically move student game consoles to a separate VLAN, and then move the port back to the primary dorm VLAN when a PC or other device is plugged in.

ForeScout has the built-in ability to identify network devices without a separate subscription or device, and that allows us to identify when students plug into a switch or router (not allowed on our network), or tries to put their computer on the less restrictive game console VLAN. The rule sets allow you to configure different rules for different devices or networks from a single location, and provides a single-pane-of-glass view into any network traffic it can see.

The configuration of the rules is both a blessing and a curse. While it is almost infinitely configurable, knowing how to get the product to do what you want it to do can be difficult, especially at first.

The biggest problem we have had with ForeScout is that in order for it to see all of your network traffic it must have access to that traffic. So if your traffic has multiple ways to reach the internet or other resources, then you need multiple network taps in place to see that traffic.

We have used ForeScout since summer of 2012.

Other than the infinite configurability and need to have multiple network taps to see all traffic, we haven't had issues with deployment.

Stability has been like a rock, and it is a product that just seems to work.

We have had no issues with scaling it for our needs.

We have had mixed success with support. Sometimes we had amazing people who knew just what we needed and how to help us get there with minimal fuss. Other times we were explaining to support how to work around an issue so other customers wouldn’t have to deal with what we were dealing with.

We previously used Perfigo, which was later bought by Cisco and became Clean Access. ForeScout offered us a device with a 10GB connection, and that on top of the feature set for the price sealed the deal.

The initial setup was very straightforward, but due to our backbone switch/network configuration, we had to make last minute tweaks to get the product to see all our traffic. Also, we struggled to get our rules properly configured so that students weren’t negatively impacted by misconfigurations that would either prevent them from getting on the network at all, or repeatedly require them to log in.

Our third-party consulting firm (Konsultek), hit one out of the park in helping us, and they made sure we were up and running before the start of school, despite our tight timeframe for implementation.

We used a third-party group to assist us with implementation, and that made all the difference for us as we were able to pull from their experience and knowledge to help us get up and running.

The best advice I can offer is to make sure to understand the rules and how they work as that was a bit of an issue for us in the first few weeks when we worked out how to “fix” some of the issues (client time-outs, repeatedly being asked to log in) as they came up. Also, test everything before rolling out to production.

ForeScout provides some of the greatest visibility into network traffic, showing you exactly who is doing what, down to the port and protocol being used, capturing entire conversations between endpoints. It is a simply fantastic tool that provides network and security persons with the ability to throw up honeypots.

The most valuable feature is agent compliance. When somebody plugs in a device and the device powers up, CounterACT goes through to make sure that rules we have in place are accurate or in line with what we'd expect. Once that completes, the machine gets an IP address from DHCP.

We could go into some other forensics. What happened to a device, let's say, it gets a virus. Okay, let's do some forensic work on it. When did the PC boot up? When did CounterACT first see it? What time stamps? We're able to see things of this nature.

The other nice thing we can do quickly when we're just doing audits or inventory is to pull up a list of clients. How many machines are on this switch? How many are on that switch? Are there switchboards that have more than two MAC addresses? If we know that a switchboard has, say, six MAC addresses on it, then we know that they probably have a hub.

I think the most valuable piece is to make sure that devices that we don't want on our network aren't on it. That's the most important. Somebody walks into a will-call area or to an area that's, say, open to the public, and they plug in a computer, that computer may have an exploit or is malicious in some way. It won't get an IP address and won't be connected. That's the most important feature.

I would like to see some reporting features. Things like, if our tech support department comes to us and says, "Hey, how many Dell model 390 PCs do we have in the company?" They can just click on a report that would show client name, machine model, IP address, last user login, etc. I think that people would find that very useful.

I think off-the-bat, when somebody pulls up the CounterACT interface, there's a lot going one. It's easy, but I don't think it's easy for somebody who just walks in blind. If there was a reporting feature, or something more incorporating tech support people, that would make their life easier. It mitigate the requests that we get to give them that information.

We've had no issues with deploying it.

Overall, I think it's pretty stable. We did have some problems with the wireless plan. The wireless plug-in, where a device that we asked to be blocked for whatever reason, is not blocked. For a couple of months, we had the wireless plug-in disabled because too many end-users were being blocked when they shouldn't have been.

From the wireless standpoint, I would say that the reliability was somewhat poor, but CounterACT worked with us over a couple month period and did push out a patch. Today, things are better.

We have three thousand end-user clients. Those are the majority of the people whom we monitor with CounterACT and not so much core devices like servers, or mainframes, or things of that nature. If we have to roll out an update to a client or some of our mobile users, it does so pretty seamlessly.

They were very receptive, wanted to know exactly what was going on, wanted examples, etc. They did what they needed to do. Through some dialogue over probably about six weeks, we ended up getting an updated wireless plug-in, which seemed to resolve the issue.

We were not using a device previously. I think the goal was originally, how do we know what's on our network? CounterACT solved that problem by allowing us to create our own rules that we wanted. It starts from a very high level and you can drill down into devices. We can now categorize, say, things like IOT devices such as clocks that operate wirelessly, building automation. We can get into all these different categories and groups of things. Whereas, before we really didn't know it. If you plugged in a device, you were getting an address from DHCP. Now, you have to meet these requirements to get an address.

It was pretty straightforward. I've been in a number of roll-outs and this one was pretty easy.

We have one CounterACT appliance that does our Chicago office. A second appliance, which does our other four branches who are a little bit smaller. We separated that work and then we also have somewhat of a redundancy. As far as the configuration and getting things up and running goes, it starts with a nice, very high-level baseline. Then you kind of incorporate the rules that you want to incorporate as you go along, which makes it nice.

I think we went right after CounterACT. We sampled around I think on the web and just looked for solutions. But, CounterACT really came out to be the one that was easy to use. The price was right. The customizability and how we had to incorporate CounterACT to talk to our Cisco switches was really straightforward. It was easy and it worked.

Absolutely go for it. I would love to give them a demo of our own environment, talk to people at CounterACT and roll it out. If it's within their budget, whatever that may be, absolutely I would use it.

Our primary use case of this solution was to control which of our devices were connected to the network. I'm a senior architect advisor. We were customers of Forescout. 

As a result of using Forescout, we had a better overview of all the devices, known and unknown, that were connected to our network; it was a real advantage.

A very valuable feature is the discovery mode. It covers all types of devices on the network, which we didn't know existed.

I don't think we tested the full potential of Forescout. We had some delay implementing it into our organization, due internal organizational issues and also due to a lack of device registrations. Meanwhile we decided to switch to a new network provider that doesn't have Forescout in its portfolio. We favour one-stop shopping for network and security services, and will migrate to Aruba ClearPass (portfolio). 

I used this solution for the past year. 

The solution is stable. 

The product seems to be scalable although we didn't fully test it. 

I think the initial setup was fairly straightforward although I was not involved on a technical level. We had the advantage that the technical engineers knew our networks and how to carry out the implementation and we also had some assistance from British Telecom. We initially focused on our main plant or main location, and then moved to our other locations, which are far smaller, and have a lower risk profile. That was our strategy and implementation took around nine months after the initial implementation which took about a week. At that point, we realized there were more devices than we thought and the process became more complicated. It took a while to get a handle on everything. There were just a couple of us involved in deployment. 

This product demonstrates the possibilities of network access control for the organization. As a pilot project, it changed the minds of people because they could see the potential which included enrolling policies so that all devices can connect to the network. People are more aware now of the security risks when there is no network access control.

Forescout is affordable in terms of the end goal, which is control. We only looked at it in terms of discovery modes and I think it's too expensive to use for that purpose alone. We took a package, managed by British Telecom, which gave us some additional services without additional costs. 

We evaluated a couple of options. We first planned to use Radius which is more of a Microsoft-ended solution. We also looked at Cisco ISE but that's very expensive and I've seen reviews on your site about the difficulty of implementation. 

I would recommend this solution because it has a lot of different ways of discovering different devices and showing networks. It's very flexible. I believe the reason we didn't reach our goal is because of our company decisions and not because of the solution. 

I rate this solution eight out of 10. 

We use this solution for cyber-security purposes.

The 802.1X compliance authentication feature of this solution is very good.

We have found that the agent-based authentication, available within this solution could be improved.

The price-point for this solution is very high, which should be looked at in comparison with similar products currently on the market.

We have been using this solution for five years.

We have found this to be a stable solution.

We believe this product is easily scalable.

The technical support for this product has been good in our experience.

Neutral

The setup for this solution is very straightforward, but full deployment can take a number of years.

The cost of licensing for this product is quite high, but this cost covers all the features of the solution so it is a single payment for the term that has been selected.

I would rate this solution a seven out of ten.