First things first
Talking about FortiGate from Fortinet we are talking about a family of UTM (Unified Threat Management) appliances. This means: FortiGate is a term that includes a wide range of products, starting from small ones dedicated to small offices, and growing up to devices that are able to grant security and networking for really big companies. The family includes physical devices and virtual machines, which grant network security on different layers using a single point of control. FortiGate is optimized to avoid bottlenecks or delays while the various controls are performed. High availability is also part of the available features, with different solutions to avoid single points of failure.
In the short list that follows, I will try to list some interesting points about the FortiGate solution.
1. Administrative Interface
If you are experienced with network security management, you know that usually this kind of activity requires to interact with many different software and hardware coming from disparate vendors. In the aforementioned scenario, it is normal to have frequent updates to apply on the various products and to watch more than one monitoring tool to keep track of security events. The FortiGate solution includes all the controls you could expect using a patchwork of security products in a single device with a single administrative interface. It is your switch, your router, your firewall, your VPN hub, your antivirus, your antispam, your proxy and your end-point security solution all in one.
If you define a network object or group for firewalling purposes, it will be available also to define antivirus rules or Internet browsing policies. There are two administrative interfaces:
·Web-based manager (a graphical interface usable through an web browser)
·CLI (a command line interface)
A strong point of a FortiGate is the fact that the graphical interface is complete and easy to use (especially if we think to the list of operations that we are able to perform inside).
Again, if you have used appliances or firewalls coming from other vendors, you know that often you have to use a not-so-friendly command lines to obtain the exact result that you need. Talking about FortiGate, you will use the CLI seldom and only for the most “exotic” features.
2. UTM the Fortinet way
Unified Threat Management may be complex to manage, because you work on different protocols, at different layers and with disparate threats to consider. In a FortiGate you can think to have three great layers:
·Networking services (switching and routing, both static and dynamic)
·Network security services (firewalling, secure VPN connection, intrusion detection and endpoint security)
·Application security services (spam and virus controls, web filtering, application control and data leak prevention)
As long as you pay (and renew as it expires) the “bundle” license, you have all the aforementioned features available including the updates for signatures and definitions, coming to your appliance directly from Fortinet. I am not saying that you have to use all the available controls, but you are able to turn them on and off “on-demand” so you could start with a simple configuration and add control layers when you feel more comfortable.
3. Virtual Domains
One of the available features include the capability of a FortiGate to support many Virtual Domains (VDOMs). VDOMs enable you to grant access to different companies with different administrators on the same physical unit. Each one of them will be able to keep his/her specific configuration with no impact on the others. What you are doing here is creating “virtual units”, keeping on a “root domain” that is used to manage the virtual domains. VDOMs add a lot of flexibility to the solutions you are able to plan using FortiGate
4. High Availability and Resiliency
There are four different ways to make a FortiGate unit high available. You could use a traditional “cluster” design with two or more units FortiGate Cluster Protocol (FGCP), a solutions with an external load balancer FortiGate Session Life Support Protocol (FGSP), a layer 3 resiliency solution like Virtual Router Redundancy Protocol (VRRP) or a layer 2 solution like Fortinet Redundant UTM Protocol (FRUP). Here we have (again) a great deal of flexibility to design the best solution for our company’s needs.
5. The Dark Side of the Moon
It would be not fair to review a product omitting the negative points. Talking about FortiGate, the main complain I have heard is about the technical support. My personal experience is the same of many people that are not happy with this aspect of the service offered from Fortinet. Often your problem is diverted to local partners and I have to say that I had mixed results with them. While some partners are professional, many are not skilled enough and have costs that are not equivalent to their quality. I know that there is the same issue with other vendors too but that is not an excuse. As long as Fortinet support sends me to a local reseller or partner, from my point of view, they are taking responsibility for their capability too.