Fortinet FortiGate Review

Fortinet is a very good device in SMB market.. handling is very easy . very nice user interface. Comparing with all other UTMs its performance is very good. VDOM,Transparent mode,Routing,Switching like many options available.

There 2000 people in our Univeristy
Which Fortinet product (Fortigate and FortiAp) must we use without any probems ?

Hi Vahid.
I see no good reason to NOT use Fortinet products in your university.
They are good and scalable as much as you need.
Just keep an eye on sizing (i.e. selecting the right appliance for your needs).

Fabrizio Volpe, thank you very much

Hi, exactly how do you get to pick the right Fortinet firewall device for your needs? I have about 3000 users on my university network and still using Firtigate 82c which seems to fail now. Please advice!!!

Good morning Nkosinathi.
A good starting point is the Fortinet Product Matrix ( https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf ) that contains all the devices and related capabilities.

You have to select the best fit based (for example) on the number of FortiClients used by your university.

My suggestion (for a 2,000 users campus) would be a couple of FG-200D (at least) paired in a cluster for redundancy.
As usual, the more you will spend, the better result you will have.

Fabrizio, once you've chosen a product from Fortinet's Product Matrix, do you stay with your selection permanently, or have you changed products in the past?

What Fortigate model number would be most appropriate for a school with around 50 users in total?

We use a 90D in our office of 30. All our users are heavily interacting with web based portals and such. I would think it would scale to your target of 50 nicely.

Am using fortigate 500D, experience is excellent. User friendly GUI config environment. When it comes to security, its the best.

Hi Fabrizio, great review! Thanks for your valuable time!
If you have a chance, could you please advise about what model fits better for a warehouse with about 60 users (desktops, smartphones, handheld scanners) plus 10 vpn users? Also we use site-to-site vpn between 2 companies.
Should I pick Fortinet, Sonicwall or pFsense?

Hi Claudio. Based on the Product Matrix ( https://www.fortinet.com/content/dam/fortinet/assets/data-sheets/Fortinet_Product_Matrix.pdf ) the FortiGate 30E looks like a good candidate (calculating 50 sessions per user).
HAving not enough experience on SonicWall and pFsense I am not able to give you a comparison :-)

I have used Fortigates for 6 years. Like you, similar experiences augmented by an additional support subscription due to my early learning curves. What I did not realize was the speed compromises with all the security apps active - if I have a Verizon FiOS true Gig subscription, my speed was tapered down to 100 Mbps or less. That is a 90% reduction. With 6 users multiplied by cell phones accessing the same WiFi, you can imagine the data speeds we were actually working with.

So, I picked WatchGuard, the T70 specifically. The data speeds with everything turned on remains near the subscription (1 Gig) and I have the same types of protections as the Fortigate. It is too early to report the reliability and other specs since this has changed only in the last week, but the specs tell me a lot that helped me to understand what I missed on my first go-around with Fortigate. Don't get me wrong, I had zero issues over the last 6 years to Fortigate's credit. However, that speed compromise doesn't work for me. Perhaps I missed something, but my support knows the product and there were no adjustments available, other than turning certain feature off. I couldn't afford that security risk, not these days.

Security solutions are something that has to be tailored to each company's needs, so WatchGuard could be a better match with your requirements and it is absolutely understandable.

I can understand additional security features slowing things down, its the same in the physical world at the airport! but from 1 Gig to 100 Mbps seems a bit extreme to me. My boss and fellow co-workers would not accept any explanation for those numbers. Is this typical of all UTM devices? Im considering fortinets fortigate devices for securing our network but this makes me a bit weary.

Hi I am looking for NGFW with UTM but should comply with the below requirements:Please advise if this can suit.

Detailed Technical Evaluation sheet for OEM Product Evaluation.
Hardware and Interface Requirements
S.NO Features
1 Firewall appliance should have Console port and USB Ports
2 Appliance should be rack mountable and support side rails if required
3 Firewall should have Hardware Sensor Monitoring capabilities.
4 The platform should support VLAN tagging (IEEE 802.1q)
5 Active -Active, Active-Standby Redundancy/Load Balancing: The firewall must support Stateful active-active load balancing and high availability for redundancy.
6 The firewall should support ISP link load balancing and failover.
7 Firewall should support Link Aggregation functionality to group multiple ports as single port.
8 Firewall should support Ethernet Bonding functionality for Full Mesh deployment architecture.
9 The platform must be supplied with at least sixteen (16) 1G portsand future expansion slots of 4 minimum 1G and 10G ports.

Performance Requirements
S.NO Features

1 Unified Threat Management Firewall Throughput should be 30 Gbps at minimum
2 Superior performance for IPv4/IPv6, SCTP and multicast traffic with ultra-low latency down to 3 microseconds.
3 Traffic shaping and priority queuing.
4 Providing high-speed cryptography and content inspection services including signature-based content inspection acceleration and encryption and decryption offloading.
5 The firewall should be able to store to store logs for a minimum of 12months
6 IPS/IDS+ Application control Throughput should be minimum 24 Gbps or above with Strictest profile with almost all protections enabled for IMIX traffic.
7 IPSec VPN Throughput should be 14 Gbps.
8 The Firewall must support minimum 30 Million concurrent sessions
9 The Firewall must support minimum 200,000 new connections per second processing.
10 Appliance should have a capability to support not less 1024 number of VLANs
11 Firewall should have Virtual domain feature for creation of 20 virtual firewall appliances within a single box at minimum.

Architecture Features
S.NO Features

1 Proposed Solution should have Firewall Modules, Firewall Management & Monitoring Server, report and alert server and GUI Console.
2 The communication between all the components of Firewall System (firewall module, logging & policy management server, and the GUI/WebUI Console) should be encrypted with SSL or PKI.
3 Firewall Appliances and associated management system (firewall module, logging and policy) should be in Active – Active with load balance and automatic failover architecture.
4 It should support the IPSec VPN for both Site-Site & Remote Access VPN
5 Firewall system should support virtual tunnel interfaces to provision Route-Based IPSec VPN
6 Firewall Real-Time Monitoring, Management & Log Collection (with storage) should be a SINGLE Appliance / Server
7 It should support the system authentication with TACACS+, RADIUS
8 Firewall Appliance should have a feature of holding multiple OS images to support resilience & easy rollbacks during the version upgrades.
9 Integrated all-in-one security delivers enterprise-class multi-threat protection for the remote access
10 It should provide a control framework for firewall policies change management.
11 It should be scalable and reliable.

Network protocols/Standards Support Requirement
S.NO Features

1 It should support at least standard TCP/IP protocols and interfacing for firewall requirements including support for authentication with Active Directory.
2 Firewall Modules should support the deployment in Routed as well as Transparent Mode.
3 The Firewall must provide state engine support for all common protocols of the TCP/IP stack.
4 The Firewall must provide NAT functionality, including dynamic and static NAT translations.
5 All internet based applications should be supported for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP, ARP, RPC, SNMP, Lotus Notes, Ms-Exchange etc
6 Local access to the firewall modules should support authentication protocols – RADIUS & TACACS+
7 IPSec VPN should support the Authentication Header Protocols – MD5 & SHA.
8 IPSec ISAKMP, IKEV1& IKEV2 methods should support Diffie-Hellman Group 1,2,5,14 & 19, MD5 & SHA Hash, RSA & Manual Key Exchange Authentication, 3DES/AES-256 Encryption of the Key Exchange Material and algorithms like RSA-1024 / 1536.
9 IPSec encryption should be supported with 3DES, AES-128 & AES-256 standards.
10 IPSEc should have the functionality of PFS and NAT-T.
11 Firewall should support PKI Authentication with PCKS#7 & PCKS#10 standards.
12 It should support BGP, OSPF, RIPv1 &2, Multicast Tunnels, DVMRP protocols.
13 Firewall should support configuration of IPSEC VPN links at a minimum of 2000 tunnels.

Firewall Filtering Requirements
S.NO Features

1 It should support the filtering of TCP/IP based applications with standard TCP/UDP ports or deployed with customs ports.
2 The Firewall must provide state engine support for all common protocols of the TCP/IP stack.
3 The Firewall must provide filtering capability that includes parameters like source addresses, destination addresses, source and destination port numbers, protocol type.
4 The Firewall should be able to filter traffic even if the packets are fragmented.
5 All internet based applications should be supported for filtering like Telnet, FTP, SMTP, http, DNS, ICMP, DHCP, ARP, RPC, SNMP, Lotus Notes, Ms-Exchange etc.
6 It should support the VOIP Applications Security by supporting to filter SIP, H.323, MGCP and Skinny flows.
7 It should be able to block Instant Messaging like Yahoo, MSN, ICQ, Skype (SSL and HTTP tunneled).
8 It should enable blocking of Peer-Peer applications, like Kazaa, Gnutella, Bit Torrent, IRC (over HTTP).
9 It should have DDOs Mitigation capabilities.
10 It should have Data Loss prevention capabilities
11 The Firewall should support authentication protocols like LDAP, RADIUS and have support for firewall passwords, smart cards, & token-based products like SecurID, LDAP-stored passwords, RADIUS or TACACS+ authentication servers, and X.509 digital certificates.
12 The Firewall should support database related filtering and should have support for Oracle, MS-SQL, and Oracle SQL-Net.
13 The Firewall should provide advanced NAT capabilities, supporting all applications and services-including H.323 and SIP based applications.
14 Should support CLI & GUI based access to the firewall modules.
15 Local access to firewall modules should support role based access.
16 QoS Support [Guaranteed bandwidth, Maximum bandwidth, Priority bandwidth utilization, QOS weighted priorities, QOS guarantees, QOS limits and QOS VPN].
17 It should support filtering based on user specification of the contents to be filtered(type of contents within sites, category of websites and applications like What Sapp, Facebook etc).
18 It should support traffic filtering at all TCP IP layers

Integrated IPS and IDS Feature Set
S.NO Features

1 It should have capabilities to protect zero day attacks/Attacks with unknown signatures.
2 Integrated IPS and IDS functionality should be available as a software module that can be activated and de-activated as and when required.
3 The IPS should be constantly updated with new defenses against emerging threats.
4 IPS updates should have an option of Automatic downloads and scheduled updates so that it can be scheduled for specific days and time.
5 Should have flexibility to define newly downloaded protections will be set in Detect or Prevent mode.
6 Activation of new protections based on parameters like Performance impact, Confidence index, Threat severity etc.
7 IPS Engine should support Vulnerability and Exploit signatures, Protocol validation, Anomaly detection, Behavior-based detection, Multi-element correlation.
8 IPS profile can be defined to Deactivate protections with Severity, Confidence-level, Performance impact, Protocol Anomalies.
9 IPS Profile should have an option to select or re-select specific signatures that can be deactivated
10 Intrusion Prevention should have an option to add exceptions for network and services
11 IPS should have the functionality of Geo Protection to Block the traffic country wise.
12 IPS Policy to Block the traffic by country should have an option to configure in incoming direction, Outgoing direction or both.
13 IPS events/protection exclusion rules can be created and view packet data directly from log entries with RAW Packets and if required can be sent to Wire shark for the analysis.
14 Application Intelligence should have controls for Instant Messenger, Peer-to-Peer, Malware Traffic etc
15 Application Intelligence should have controls for Instant Messenger, Peer-to-Peer, Malware Traffic etc.
16 IPS should provide detailed information on each protection, including: Vulnerability and threat descriptions, Threat severity, Performance impact, Release date, Industry Reference, Confidence level etc.
17 IPS should have an option to create your own signatures with an open signature language that detects and block harmful contents or applications.

Identity Awareness Features
S.NO Features

1 Firewall Should support Identity Access for Granular user, group and machine based visibility and policy enforcement.
2 Firewall should support the Identity based logging.
3 Identity Access should be able to distinguish between employee and other like guests and contractors.
4 Should have an option of time duration for Guests Login.
5 Should provide seamless AD Integration with multiple deployment options like Clientless, Captive Portal or Identity Agent.
6 Should support and obtain the user identity in case user is behind a proxy.
7 Identity awareness licensing should be passed per gateway and not restrict on the basis on users.
8 Should support redundancy High Availability and Load Sharing.
9 Identity Awareness should work in conjunction with Application Control.
10 Identity should be learnt from Active directory users and groups.

Web Control [Application Control +URL Filtering]

S.NO

1 Solution should provide Web Application Firewall (WAF) support Application Detection and Usage Control.
2 Should enable securities policies to identify, allow, block or limit application regardless of port, protocol etc.
3 Application Control Databases should have more than 2000+ Web 2.0 applications and 2,00,000+ Social Networking Widgets.
4 Should have more than 100+ Categories based on Urls, Application types, Security Risk level etc and number of URLs categorized should be more than 280 Million.
5 Should have Categories like Business Applications, Instant Messaging, File Storage and Sharing, Mobile Software, Remote Administration, SMS Tools, Search Engine, Virtual Worlds, Webmail etc.
6 Should support User and Group based policies.
7 Solution should have an option of creating custom categories for URL and Application control.
8 Solution should have an option of mechanism of educating users for eg Ask user before allowing access website.
9 Solution should support Actions like Inform, Ask, limit and Block.
10 Should be integrated with Identity Awareness for granular control of application by specific users, group of users and machine they are using.
11 Should provide Seamless and Agent-less integration with Active Directory
12 Active Directory user's identification may be done either through querying Active Directory, through a captive portal or through installing a one-time, thin client-side agent.
13 Should be Managed Centrally from Single Dashboard via user friendly interface.

Antimalware Feature Set( Antivirus+ Bot Attacks)
S.No Features

1 Solution should be able to identify malwares coming from incoming files and malwares downloaded from Internet.
2 Solution should be able to Discover bot outbreaks, infected machine, prevent Bot damage.
3 Solution should have an Multi-tier bot discovery ie Detect Command and Control IP/URL and DNS.
4 Solution should be able to detect Unique communication patterns used by BOTs ie Information about Botnet family.
5 Solution should be able to block traffic between infected Host and Remote Operator and not to legitimate destination.
6 Solution should be able to provide with Forensic tools which give details like Infected Users/Device, Malware type, Malware action etc.
7 Anti-virus scanning should support proactive and stream mode.
8 Solution should be able to create a protection scope for the inspection
9 Solution should give information related to Performance impact and confidence level of protections while creating profiles.
10 Solution should have an option of configuring Exception.
11 Solution should be able to Scan by File direction and IP address.
12 File type recognition along with following actions ie Scan, Block, Pass.
13 Should be able to scan any file irrespective of it size.
14 Antivirus protection protocols for HTTP,HTTPS, FTP, POP3, SMTP.
15 Anti-spyware for pattern based blocking at the gateway.
16 It should provide protection against boot tampering.
17 Centralized daily, automatic and manual updates.
18 Solution should have an option of packet capture for further analysis of the incident.
19 Solution should have an option of setting Malware trap to identify compromised clients.
20 Solution should provide attack remediation.

SSL VPN Features Set
S.No Features

1 The solution must support Minimum 20,000 Concurrent VPN peers.
2 Secure Remote access to corporate application over the internet via Smartphones or PC's, Tablets and Laptops.
3 Enterprise-grade remote access via SSL VPN for secure mobile connectivity to email, calendars, contacts and corporate applications.
4 Verify authorized users with the two-factor authentication and user-device pairing.
5 Provide Secure SSL VPN access, Two Factor Authentication, Device/end user pairing, Mobile Business Portal, Provisioning of Security Feature and email profile.
6 SSL VPN for access to various corporate applications like Web applications, File shares, Citrix services, Web Mail, Native applications etc.
7 SSL VPN portal for Secure web based connectivity for web applications, web based resources, shared files emails.
8 End Point Scanning on Demand for endpoint compliance and malware scanner, key loggers, Trojans and Self remediation for out of compliance users.
9 Secure Virtual Workspace for virtual environment, insulated from the host and encrypts and deletes browser and applications cache, files, etc when session ends.
10 The solution should support strong Two factor authentication by integrating with Web SMS Gateway/Email Server or with 3rd party Two factor Authentication vendor like RSA etc…
11 Dynamic ID Direct SMS/email authentication can be configured to send One-Time Password (OTP) to an end user communication device via an SMS message or on email.
12 Support of Mobile phones 3G, 4G, iPad, Android, Iphone etc.

Administration, Management,& Logging/Reporting Functionality
S.NO Features

1 Management, Real-Time Monitoring, Log Collection and Reporting should be a separate dedicated system.
2 Firewalls should be manageable from the centralized management framework.
3 Firewalls should provide forensic reports.
4 Firewalls should provide security Dashboard.
5 Any changes or commands issued by an authenticated user should be logged to a database.
6 Firewall Management system should also provide the real time health status of all the firewall modules on the dashboard for CPU & memory utilization, state table, total # of concurrent connections and the connections/second counter.
7 Firewall must send mail or SNMP traps to Network Management Servers (NMS) in response to system failures or threshold violations of the health attributes.
8 The Firewall must provide simplified provisioning for addition of new firewalls where by a standard firewall policy could be pushed into the new firewall.

Hi Orlon, I have never seen a drop from 1Gb/s to 100Mb/s for any collection of security features. I've seen 35-40% performance loss, but not 90%

I had my data speed compromise confirmed by my paid support subscription.