Fortinet FortiGate Review
FortiGate security appliances provide UTM security in a single device with a good administrative interface and performance


We're discussing a family of UTM (Unified Threat Management) appliances.  FortiGate is a term which includes a wide range of products, starting with small ones dedicated to small offices, and developing into devices which are able to grant security and networking for large companies. The family includes physical devices and virtual machines, which grant network security on different layers using a single point of control. FortiGate is optimized to avoid bottlenecks or delays while the various controls are performed. High availability is also part of the available features with various solutions to avoid single points of failure. 

In the following short list, I will list some interesting points about the FortiGate solution. 

1. Administrative Interface

If you are experienced with network security management, you are aware this activity requires interaction with many different software and hardware solutions from disparate vendors. In the aforementioned scenario, it is normal to have frequent updates to apply on the various products and to watch more than one monitoring tool to keep track of security events. The FortiGate solution includes all the controls you could expect using a patchwork of security products in a single device with a single administrative interface. It is your switch, router, firewall, VPN hub, antivirus, anti-spam, proxy, and endpoint security solution all-in-one. 

If you define a network object or group for firewalling purposes, it will be available to define antivirus rules or internet browsing policies. There are two administrative interfaces:

  • Web-based manager (a graphical interface usable through a web browser);
  • CLI (a command line interface).

A strong point of FortiGate is that the graphical interface is complete and easy to use, especially if we think there is a list of operations that we are able to perform inside.

If you have used appliances or firewalls from other vendors, often you have to use not-so-friendly command lines to obtain the exact result you need. With FortiGate, you will use the CLI seldomly and only for the most “exotic” features.

2. UTM, the Fortinet way

Unified Threat Management may be complex to manage, because you work on different protocols, at different layers and with disparate threats to consider. In FortiGate, you can have three great layers:

  • Networking services (switching and routing, both static and dynamic);
  • Network security services (firewalling, secure VPN connection, intrusion detection and endpoint security);
  • Application security services (spam and virus controls, web filtering, application control and data leak prevention).

As long as you pay (and renew as it expires) the “bundle” license, you have all the aforementioned features available, including the updates for signatures and definitions coming to your appliance directly from Fortinet. You do not have to use all the available controls, but you are able to turn them on and off “On Demand”, so you could start with a simple configuration and add control layers when you feel more comfortable.

3. Virtual Domains

One of the available features include the capability of a FortiGate to support many Virtual Domains (VDOMs). VDOMs enable you to grant access to different companies with different administrators on the same physical unit. Each one will be able to keep their specific configuration with no impact on the others. What you are doing is creating “virtual units”, and keeping on a “root domain” which is used to manage the virtual domains. VDOMs add a lot of flexibility to the solutions that you are able to plan using FortiGate.

4. High Availability and Resiliency

There are four different ways to make a FortiGate unit have high availability. You could use a traditional “cluster” design with two or more units: FortiGate Cluster Protocol (FGCP), a solution with an external load balancer: FortiGate Session Life Support Protocol (FGSP), a Layer 3 resiliency solution like Virtual Router Redundancy Protocol (VRRP), or a Layer 2 solution like Fortinet Redundant UTM Protocol (FRUP). Again, we have a great deal of flexibility to design the best solution for our company’s needs.

5. The Dark Side of the Moon

It would not be fair to review a product omitting the negative points. With FortiGate, the main complaint that I have heard is about the technical support. My personal experience is the same as many people who are not happy with this aspect of the service offered by Fortinet. Often, your problem is diverted to local partners. I have to say that I have had mixed results with them. While some partners are professional, many are not skilled enough and I have had costs that are not equivalent to their quality. This is the same issue with other vendors, but that is not an excuse. As long as Fortinet support sends me to a local reseller or partner, from my point of view, they are taking responsibility for their capabilities.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
24 visitors found this review helpful

18 Comments

Kavin MReal User

Fortinet is a very good device in SMB market.. handling is very easy . very nice user interface. Comparing with all other UTMs its performance is very good. VDOM,Transparent mode,Routing,Switching like many options available.

29 October 15
Vahid KazimovReal User

There 2000 people in our Univeristy
Which Fortinet product (Fortigate and FortiAp) must we use without any probems ?

11 January 16
Fabrizio VolpeReal UserTOP REVIEWERELITE SQUAD

Hi Vahid.
I see no good reason to NOT use Fortinet products in your university.
They are good and scalable as much as you need.
Just keep an eye on sizing (i.e. selecting the right appliance for your needs).

11 January 16
Vahid KazimovReal User

Fabrizio Volpe, thank you very much

12 January 16
Nkosinathi HlatshwayoUser

Hi, exactly how do you get to pick the right Fortinet firewall device for your needs? I have about 3000 users on my university network and still using Firtigate 82c which seems to fail now. Please advice!!!

26 May 16
Fabrizio VolpeReal UserTOP REVIEWERELITE SQUAD

Good morning Nkosinathi.
A good starting point is the Fortinet Product Matrix ( https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf ) that contains all the devices and related capabilities.

You have to select the best fit based (for example) on the number of FortiClients used by your university.

My suggestion (for a 2,000 users campus) would be a couple of FG-200D (at least) paired in a cluster for redundancy.
As usual, the more you will spend, the better result you will have.

26 May 16
Orlee GillisConsultant

Fabrizio, once you've chosen a product from Fortinet's Product Matrix, do you stay with your selection permanently, or have you changed products in the past?

05 October 16
Bassem MalekUser

What Fortigate model number would be most appropriate for a school with around 50 users in total?

18 May 17
JODY REEDReal UserTOP 20

We use a 90D in our office of 30. All our users are heavily interacting with web based portals and such. I would think it would scale to your target of 50 nicely.

18 May 17
JosephKingoriReal User

Am using fortigate 500D, experience is excellent. User friendly GUI config environment. When it comes to security, its the best.

19 June 17
Claudio VillagraUser

Hi Fabrizio, great review! Thanks for your valuable time!
If you have a chance, could you please advise about what model fits better for a warehouse with about 60 users (desktops, smartphones, handheld scanners) plus 10 vpn users? Also we use site-to-site vpn between 2 companies.
Should I pick Fortinet, Sonicwall or pFsense?

08 August 17
Fabrizio VolpeReal UserTOP REVIEWERELITE SQUAD

Hi Claudio. Based on the Product Matrix ( https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf ) the FortiGate 30E looks like a good candidate (calculating 50 sessions per user).
HAving not enough experience on SonicWall and pFsense I am not able to give you a comparison :-)

08 August 17
reviewer690582Real UserTOP 10LEADERBOARD

I have used Fortigates for 6 years. Like you, similar experiences augmented by an additional support subscription due to my early learning curves. What I did not realize was the speed compromises with all the security apps active - if I have a Verizon FiOS true Gig subscription, my speed was tapered down to 100 Mbps or less. That is a 90% reduction. With 6 users multiplied by cell phones accessing the same WiFi, you can imagine the data speeds we were actually working with.

So, I picked WatchGuard, the T70 specifically. The data speeds with everything turned on remains near the subscription (1 Gig) and I have the same types of protections as the Fortigate. It is too early to report the reliability and other specs since this has changed only in the last week, but the specs tell me a lot that helped me to understand what I missed on my first go-around with Fortigate. Don't get me wrong, I had zero issues over the last 6 years to Fortigate's credit. However, that speed compromise doesn't work for me. Perhaps I missed something, but my support knows the product and there were no adjustments available, other than turning certain feature off. I couldn't afford that security risk, not these days.

01 November 17
Fabrizio VolpeReal UserTOP REVIEWERELITE SQUAD

Security solutions are something that has to be tailored to each company's needs, so WatchGuard could be a better match with your requirements and it is absolutely understandable.

11 December 17
Orlon RoseReal User

I can understand additional security features slowing things down, its the same in the physical world at the airport! but from 1 Gig to 100 Mbps seems a bit extreme to me. My boss and fellow co-workers would not accept any explanation for those numbers. Is this typical of all UTM devices? Im considering fortinets fortigate devices for securing our network but this makes me a bit weary.

16 December 17
SulleyUser

Hi I am looking for NGFW with UTM but should comply with the below requirements:Please advise if this can suit.

Detailed Technical Evaluation sheet for OEM Product Evaluation.
Hardware and Interface Requirements
S.NO Features
1 Firewall appliance should have Console port and USB Ports
2 Appliance should be rack mountable and support side rails if required
3 Firewall should have Hardware Sensor Monitoring capabilities.
4 The platform should support VLAN tagging (IEEE 802.1q)
5 Active -Active, Active-Standby Redundancy/Load Balancing: The firewall must support Stateful active-active load balancing and high availability for redundancy.
6 The firewall should support ISP link load balancing and failover.
7 Firewall should support Link Aggregation functionality to group multiple ports as single port.
8 Firewall should support Ethernet Bonding functionality for Full Mesh deployment architecture.
9 The platform must be supplied with at least sixteen (16) 1G portsand future expansion slots of 4 minimum 1G and 10G ports.

Performance Requirements
S.NO Features

1 Unified Threat Management Firewall Throughput should be 30 Gbps at minimum
2 Superior performance for IPv4/IPv6, SCTP and multicast traffic with ultra-low latency down to 3 microseconds.
3 Traffic shaping and priority queuing.
4 Providing high-speed cryptography and content inspection services including signature-based content inspection acceleration and encryption and decryption offloading.
5 The firewall should be able to store to store logs for a minimum of 12months
6 IPS/IDS+ Application control Throughput should be minimum 24 Gbps or above with Strictest profile with almost all protections enabled for IMIX traffic.
7 IPSec VPN Throughput should be 14 Gbps.
8 The Firewall must support minimum 30 Million concurrent sessions
9 The Firewall must support minimum 200,000 new connections per second processing.
10 Appliance should have a capability to support not less 1024 number of VLANs
11 Firewall should have Virtual domain feature for creation of 20 virtual firewall appliances within a single box at minimum.

Architecture Features
S.NO Features

1 Proposed Solution should have Firewall Modules, Firewall Management & Monitoring Server, report and alert server and GUI Console.
2 The communication between all the components of Firewall System (firewall module, logging & policy management server, and the GUI/WebUI Console) should be encrypted with SSL or PKI.
3 Firewall Appliances and associated management system (firewall module, logging and policy) should be in Active – Active with load balance and automatic failover architecture.
4 It should support the IPSec VPN for both Site-Site & Remote Access VPN
5 Firewall system should support virtual tunnel interfaces to provision Route-Based IPSec VPN
6 Firewall Real-Time Monitoring, Management & Log Collection (with storage) should be a SINGLE Appliance / Server
7 It should support the system authentication with TACACS+, RADIUS
8 Firewall Appliance should have a feature of holding multiple OS images to support resilience & easy rollbacks during the version upgrades.
9 Integrated all-in-one security delivers enterprise-class multi-threat protection for the remote access
10 It should provide a control framework for firewall policies change management.
11 It should be scalable and reliable.

Network protocols/Standards Support Requirement
S.NO Features

1 It should support at least standard TCP/IP protocols and interfacing for firewall requirements including support for authentication with Active Directory.
2 Firewall Modules should support the deployment in Routed as well as Transparent Mode.
3 The Firewall must provide state engine support for all common protocols of the TCP/IP stack.
4 The Firewall must provide NAT functionality, including dynamic and static NAT translations.
5 All internet based applications should be supported for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP, ARP, RPC, SNMP, Lotus Notes, Ms-Exchange etc
6 Local access to the firewall modules should support authentication protocols – RADIUS & TACACS+
7 IPSec VPN should support the Authentication Header Protocols – MD5 & SHA.
8 IPSec ISAKMP, IKEV1& IKEV2 methods should support Diffie-Hellman Group 1,2,5,14 & 19, MD5 & SHA Hash, RSA & Manual Key Exchange Authentication, 3DES/AES-256 Encryption of the Key Exchange Material and algorithms like RSA-1024 / 1536.
9 IPSec encryption should be supported with 3DES, AES-128 & AES-256 standards.
10 IPSEc should have the functionality of PFS and NAT-T.
11 Firewall should support PKI Authentication with PCKS#7 & PCKS#10 standards.
12 It should support BGP, OSPF, RIPv1 &2, Multicast Tunnels, DVMRP protocols.
13 Firewall should support configuration of IPSEC VPN links at a minimum of 2000 tunnels.

Firewall Filtering Requirements
S.NO Features

1 It should support the filtering of TCP/IP based applications with standard TCP/UDP ports or deployed with customs ports.
2 The Firewall must provide state engine support for all common protocols of the TCP/IP stack.
3 The Firewall must provide filtering capability that includes parameters like source addresses, destination addresses, source and destination port numbers, protocol type.
4 The Firewall should be able to filter traffic even if the packets are fragmented.
5 All internet based applications should be supported for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP, ARP, RPC, SNMP, Lotus Notes, Ms-Exchange etc.
6 It should support the VOIP Applications Security by supporting to filter SIP, H.323, MGCP and Skinny flows.
7 It should be able to block Instant Messaging like Yahoo, MSN, ICQ, Skype (SSL and HTTP tunneled).
8 It should enable blocking of Peer-Peer applications, like Kazaa, Gnutella, Bit Torrent, IRC (over HTTP).
9 It should have DDOs Mitigation capabilities.
10 It should have Data Loss prevention capabilities
11 The Firewall should support authentication protocols like LDAP, RADIUS and have support for firewall passwords, smart cards, & token-based products like SecurID, LDAP-stored passwords, RADIUS or TACACS+ authentication servers, and X.509 digital certificates.
12 The Firewall should support database related filtering and should have support for Oracle, MS-SQL, and Oracle SQL-Net.
13 The Firewall should provide advanced NAT capabilities, supporting all applications and services-including H.323 and SIP based applications.
14 Should support CLI & GUI based access to the firewall modules.
15 Local access to firewall modules should support role based access.
16 QoS Support [Guaranteed bandwidth, Maximum bandwidth, Priority bandwidth utilization, QOS weighted priorities, QOS guarantees, QOS limits and QOS VPN].
17 It should support filtering based on user specification of the contents to be filtered(type of contents within sites, category of websites and applications like What Sapp, Facebook etc).
18 It should support traffic filtering at all TCP IP layers

Integrated IPS and IDS Feature Set
S.NO Features

1 It should have capabilities to protect zero day attacks/Attacks with unknown signatures.
2 Integrated IPS and IDS functionality should be available as a software module that can be activated and de-activated as and when required.
3 The IPS should be constantly updated with new defenses against emerging threats.
4 IPS updates should have an option of Automatic downloads and scheduled updates so that it can be scheduled for specific days and time.
5 Should have flexibility to define newly downloaded protections will be set in Detect or Prevent mode.
6 Activation of new protections based on parameters like Performance impact, Confidence index, Threat severity etc.
7 IPS Engine should support Vulnerability and Exploit signatures, Protocol validation, Anomaly detection, Behavior-based detection, Multi-element correlation.
8 IPS profile can be defined to Deactivate protections with Severity, Confidence-level, Performance impact, Protocol Anomalies.
9 IPS Profile should have an option to select or re-select specific signatures that can be deactivated
10 Intrusion Prevention should have an option to add exceptions for network and services
11 IPS should have the functionality of Geo Protection to Block the traffic country wise.
12 IPS Policy to Block the traffic by country should have an option to configure in incoming direction, Outgoing direction or both.
13 IPS events/protection exclusion rules can be created and view packet data directly from log entries with RAW Packets and if required can be sent to Wire shark for the analysis.
14 Application Intelligence should have controls for Instant Messenger, Peer-to-Peer, Malware Traffic etc
15 Application Intelligence should have controls for Instant Messenger, Peer-to-Peer, Malware Traffic etc.
16 IPS should provide detailed information on each protection, including: Vulnerability and threat descriptions, Threat severity, Performance impact, Release date, Industry Reference, Confidence level etc.
17 IPS should have an option to create your own signatures with an open signature language that detects and block harmful contents or applications.

Identity Awareness Features
S.NO Features

1 Firewall Should support Identity Access for Granular user, group and machine based visibility and policy enforcement.
2 Firewall should support the Identity based logging.
3 Identity Access should be able to distinguish between employee and other like guests and contractors.
4 Should have an option of time duration for Guests Login.
5 Should provide seamless AD Integration with multiple deployment options like Clientless, Captive Portal or Identity Agent.
6 Should support and obtain the user identity in case user is behind a proxy.
7 Identity awareness licensing should be passed per gateway and not restrict on the basis on users.
8 Should support redundancy High Availability and Load Sharing.
9 Identity Awareness should work in conjunction with Application Control.
10 Identity should be learnt from Active directory users and groups.

Web Control [Application Control +URL Filtering]

S.NO

1 Solution should provide Web Application Firewall (WAF) support Application Detection and Usage Control.
2 Should enable securities policies to identify, allow, block or limit application regardless of port, protocol etc.
3 Application Control Databases should have more than 2000+ Web 2.0 applications and 2,00,000+ Social Networking Widgets.
4 Should have more than 100+ Categories based on Urls, Application types, Security Risk level etc and number of URLs categorized should be more than 280 Million.
5 Should have Categories like Business Applications, Instant Messaging, File Storage and Sharing, Mobile Software, Remote Administration, SMS Tools, Search Engine, Virtual Worlds, Webmail etc.
6 Should support User and Group based policies.
7 Solution should have an option of creating custom categories for URL and Application control.
8 Solution should have an option of mechanism of educating users for eg Ask user before allowing access website.
9 Solution should support Actions like Inform, Ask, limit and Block.
10 Should be integrated with Identity Awareness for granular control of application by specific users, group of users and machine they are using.
11 Should provide Seamless and Agent-less integration with Active Directory
12 Active Directory user's identification may be done either through querying Active Directory, through a captive portal or through installing a one-time, thin client-side agent.
13 Should be Managed Centrally from Single Dashboard via user friendly interface.

Antimalware Feature Set( Antivirus+ Bot Attacks)
S.No Features

1 Solution should be able to identify malwares coming from incoming files and malwares downloaded from Internet.
2 Solution should be able to Discover bot outbreaks, infected machine, prevent Bot damage.
3 Solution should have an Multi-tier bot discovery ie Detect Command and Control IP/URL and DNS.
4 Solution should be able to detect Unique communication patterns used by BOTs ie Information about Botnet family.
5 Solution should be able to block traffic between infected Host and Remote Operator and not to legitimate destination.
6 Solution should be able to provide with Forensic tools which give details like Infected Users/Device, Malware type, Malware action etc.
7 Anti-virus scanning should support proactive and stream mode.
8 Solution should be able to create a protection scope for the inspection
9 Solution should give information related to Performance impact and confidence level of protections while creating profiles.
10 Solution should have an option of configuring Exception.
11 Solution should be able to Scan by File direction and IP address.
12 File type recognition along with following actions ie Scan, Block, Pass.
13 Should be able to scan any file irrespective of it size.
14 Antivirus protection protocols for HTTP,HTTPS, FTP, POP3, SMTP.
15 Anti-spyware for pattern based blocking at the gateway.
16 It should provide protection against boot tampering.
17 Centralized daily, automatic and manual updates.
18 Solution should have an option of packet capture for further analysis of the incident.
19 Solution should have an option of setting Malware trap to identify compromised clients.
20 Solution should provide attack remediation.

SSL VPN Features Set
S.No Features

1 The solution must support Minimum 20,000 Concurrent VPN peers.
2 Secure Remote access to corporate application over the internet via Smartphones or PC's, Tablets and Laptops.
3 Enterprise-grade remote access via SSL VPN for secure mobile connectivity to email, calendars, contacts and corporate applications.
4 Verify authorized users with the two-factor authentication and user-device pairing.
5 Provide Secure SSL VPN access, Two Factor Authentication, Device/end user pairing, Mobile Business Portal, Provisioning of Security Feature and email profile.
6 SSL VPN for access to various corporate applications like Web applications, File shares, Citrix services, Web Mail, Native applications etc.
7 SSL VPN portal for Secure web based connectivity for web applications, web based resources, shared files emails.
8 End Point Scanning on Demand for endpoint compliance and malware scanner, key loggers, Trojans and Self remediation for out of compliance users.
9 Secure Virtual Workspace for virtual environment, insulated from the host and encrypts and deletes browser and applications cache, files, etc when session ends.
10 The solution should support strong Two factor authentication by integrating with Web SMS Gateway/Email Server or with 3rd party Two factor Authentication vendor like RSA etc…
11 Dynamic ID Direct SMS/email authentication can be configured to send One-Time Password (OTP) to an end user communication device via an SMS message or on email.
12 Support of Mobile phones 3G, 4G, iPad, Android, Iphone etc.

Administration, Management,& Logging/Reporting Functionality
S.NO Features

1 Management, Real-Time Monitoring, Log Collection and Reporting should be a separate dedicated system.
2 Firewalls should be manageable from the centralized management framework.
3 Firewalls should provide forensic reports.
4 Firewalls should provide security Dashboard.
5 Any changes or commands issued by an authenticated user should be logged to a database.
6 Firewall Management system should also provide the real time health status of all the firewall modules on the dashboard for CPU & memory utilization, state table, total # of concurrent connections and the connections/second counter.
7 Firewall must send mail or SNMP traps to Network Management Servers (NMS) in response to system failures or threshold violations of the health attributes.
8 The Firewall must provide simplified provisioning for addition of new firewalls where by a standard firewall policy could be pushed into the new firewall.

22 February 18
Andrew S. Baker (ASB)Real UserTOP 5LEADERBOARD

Hi Orlon, I have never seen a drop from 1Gb/s to 100Mb/s for any collection of security features. I've seen 35-40% performance loss, but not 90%

02 August 18
reviewer690582Real UserTOP 10LEADERBOARD

I had my data speed compromise confirmed by my paid support subscription.

03 August 18
Guest
Why do you like it?

Sign Up with Email