What is our primary use case?
We're trying to get around some restrictions that some ISPs have put in place. For us, it's Telus, for remote locations. We do a lot of remote site work. We do real estate maps. We have wireless towers at different locations and the ISPs are putting things behind proxy so that we can't get remote access. We're using this to get around it with their VPN system.
Fortinet has quite a good SD-WAN VPN setup, so that you can get around things a lot more easily, with more intelligence.
How has it helped my organization?
The cost is an advantage. You save a fair bit.
What is most valuable?
It's great to get out, it's flexible. They have some good ramping up for performance between different devices.
The biggest thing, for us lately, has been their cloud tools. They're like Intercept X from Sophos, where they'll test for ransomware. Fortinet has the same sort of set up with their cloud devices. So your firewall picks up something suspicious, it sends it up to the cloud for analysis. We also have their in-house antivirus. Having different antivirus checkpoints throughout the network is a good thing as well.
What needs improvement?
WatchGuard has a desktop-based admin tool, instead of doing everything through the web. I'm an old-school guy. I really don't like web GUI interfaces. They're always slow and laggy and their design is restricted, whereas a binary deployment for an admin tool is always faster, easier, more flexible. I would like that kind of functionality from Fortinet. In part, it's bias, because I'm familiar with it. But WatchGuard is a very flexible tool. It's very dated now, it needs to be worked on, but it is quite a good tool in that way.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
So far, no problems with stability at all. They have a failover system which we haven't used, we haven't needed to use, everything has been fine. But we've only had it for about a year. We do have some stuff deployed down in Mexico that corrodes pretty quickly, so I'm expecting something to fail down there at some point, but we'll see how that goes.
What do I think about the scalability of the solution?
With the smaller devices, you definitely have to do some planning, especially with throughput. If you have some of the high-fiber, say a 300 megabit fiber coming in, and you want to turn everything on, and you want to have a high encryption rate on the VPN, you're going to have some problems; if you're doing antivirus, web filtering, and you have high encryption on a VPN.
They have some built-in chips that offload the VPN encryption work, but if you go above those chips' capabilities, then it starts to use CPU time and if you have a lot of data coming in that's getting scanned for viruses, or whatever else you're going to be scanning for, you start to notice the impact there and you'll lose throughput.
With the lower-end devices you definitely notice that and you have to plan for it. Higher-end stuff has all that built in.
How is customer service and technical support?
Technical support is really good. They had some good insights. I had a FortiGate installer come out and do some work with us on one of our sites that I was having problems with, and he had an issue. He called their main tech support line and he got through to the engineers in the background fairly quickly, so it was good.
I had one other problem independent of that and it was answered within about four hours, quite completely. It was more information then I needed.
Which solutions did we use previously?
Our previous solution was WatchGuard. WatchGuard is very easy to manage. It's a very user-friendly product. It's just a little bit pricey for what we are using, for the small deployments. Not everything has 100 people, or 1000 people behind it. Some of them only have five or 10, and you don't want to be spending $4,000 for a few people.
We had some older products. Because we're remote, we don't always have the highest speed connections. At one location in particular, we had five DSL lines bonded into one to make a bigger pipe and finally got fiber out to that location in an industrial park. We were going from approximately 50 down and 13 up to 300/300. We knew the throughput for the older device wouldn't handle it. To use what you pay for, you have to upgrade.
When selecting a vendor cost is definitely a factor, but it's not the factor. It would mostly be ease of use and reliability, meaning the device is going to be there, the company is going to be there, the support is going to be there. You need all that background stuff. The price is important, but if it makes everything run well, and makes my management time minimal, then it's worth spending a little more money on the device. If it doesn't do the job, there's no use buying it.
How was the initial setup?
It's pretty rapid deployment, but to have it deployed correctly it does take some effort. In that way, it's dangerous because you can leave a lot of holes open.
For the most part, the setup was straightforward. What surprised me is that I had to put in the starting route. Usually, it just picks it up and knows what it is based on your interface setup; it knows what the routing is supposed to be. But it required me to do that. That was the only thing I ran into. Other than that, everything else was trivial.
It's logical, it points you in the direction. Once you do firewalls, you know where you need to go to set up your interfaces, and you start figuring out your holes. Then you go check your routes.
What's my experience with pricing, setup cost, and licensing?
It's relatively inexpensive in comparison to everything else that has the same functionality. If you're looking at SonicWall or if you're looking at WatchGuard, their prices are about a third higher with relatively the same functionality.
Which other solutions did I evaluate?
We had SonicWall for a while, years ago, so we went back to them. We also talked to the Dell guys. We went back to WatchGuard to have a look at their items, and then there was Fortinet. I'm based out of Vancouver and Fortinet has a fairly major operation in Burnaby, which is just outside of Vancouver. I'd heard about them and they got added to the list.
Those were the major candidates that we looked at. We talked about a bunch of others, and a couple of other vendors that we talked to that use different products, but we never really seriously went into them.
What other advice do I have?
Go out and see if you can get demos. That's the best thing, to get the feel of it. Either you sit down and get walked through it, or you log in and start flailing around and see if it works the way your mind works, because everybody is different.
I would rate Fortinet at about nine out of 10, mostly because it's web interface, it looks nice, it works well. Their console is a dominant part of the admin. Just like Windows has gone with their PowerShell with a lot of stuff, I'm not a big fan of it, even though I come from that era. I'm an old COBOL programmer guy.
Command lines are nice, but they don't give you, always, the type of feedback you need in multiple locations, so I like the GUI a little bit more for just simple management and monitoring. The command line is a big part of it. It's not intuitive to me. Building the commands, I understand how it flows, but the actual words in the commands to pull up what you need isn't that great. And personally, I'd like a desktop client to admin tool.
If you're building a VPN, you build it outside it, then you deploy all the devices at once, and the VPN just works, instead of going to each individual device and logging in.
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Aug 06 2018