Fortinet FortiGate Review

I could achieve the same results with a software firewall. This one comes in a nice hardware package. Using the CLI should be documented better.


What is most valuable?

  • Flexibility
  • Flow tracking
  • B2B VPN

How has it helped my organization?

It's good for what it is. I could achieve the same results with a pfSense firewall. This one just comes in a nice hardware package.

What needs improvement?

Better documentation about usage of the CLI. I learned most of what I know in diagnostic functionality through saving SSH sessions with the customer support staff while in WebEx sessions.

I have tried looking up the manuals. They are OK in some respects, but I feel exhaustive documentation about the CLI "with examples" should be there, and I feel it's not.

I'm saying, hey lets consolidate some of the primary real world scenarios like:
Section A: - Troubeshooting B2B VPN peering with a business partner or client when initially setting up the VPN tunnel.

Inevitably, there are always quirks and nuances between the fortigate vendor versus peering with a Palo Alto or an ASA firewall or even a Juniper SSG.

Imagine providing all steps, command line syntax, and GUI (if available) and how to take steps to debug the flow and see what's failing.
Sometimes it's super hard to figure out what's wrong with a fortigate VPN unless you know the commands on the CLI to see the flow and how to interpret it.

If they had all the methods / syntax and the "how's and why's" for a scenario; even possibly an instructional video showing how via the CLI and gui alongside the documentation. It would be like the pearly gates had opened and I had gone to heaven.

For how long have I used the solution?

I have used it for three years.

What do I think about the stability of the solution?

I never encountered any stability issues. It is a very stable product.

What do I think about the scalability of the solution?

Scalability's not been an issue for my org. We only utilize it for certain applications.

How are customer service and technical support?

Technical support is excellent, although it can be a bit difficult to understand the tech. As with most support staff from almost all vendors now, the support comes from somewhere across the pond.

Which solution did I use previously and why did I switch?

On the site where the FortiGate is stationed, it's never been changed out.

How was the initial setup?

Initial setup was straightforward.

What's my experience with pricing, setup cost, and licensing?

Buy the support package! Upgrades, advice about upgrade paths, and troubleshooting help is paramount. There have been some times where, without it, I'd have been dead in the water.

Which other solutions did I evaluate?

This was an in-place firewall when I integrated the site to my org.

What other advice do I have?

Figure out what features you want, and what policies you want. Look up how to do it in advance, and create an implementation plan.

Plan for policies, routing, NATting, etc. Create a step-by-step process in advance, possibly create the environment in a DEV sandbox, test it, then implement.

It has a good feature set. However, sometimes you are forced to solicit technical support to get it working.

Also, I find the web interfaces sometimes do not display things properly.

**Disclosure: I am a real user, and this review is based on my own experience and opinions.
More Fortinet FortiGate reviews from users
...who work at a Comms Service Provider
...who compared it with Cisco ASA NGFW
Add a Comment
Guest
6 Comments

author avatarHamza_Farhan (A10 Networks)
Real User

I agree with you that reading the output of Fortigate debug command(s) needs the knowledge first of how to interpret the output and to have that one, you either take NSE-7 course or read the admin guide since it shows some debug outputs along with explanation.

The logs are useful but does not provide too much explanation which is the reason why most of the time we depends on debug commands to find out what is the problem.

With 5.4.0 firmware, Fortinet introduced new feature called "Policy Learning Mode". The learning mode feature is a quick and easy method for setting a policy to allow everything but to log it all so that it can later be used to determine what restrictions and protections should be applied.

Link: https://video.fortinet.com/video/238/learning-mode-policy-5-4-1

author avatarit_user219912 (IT Infrastucture - Cloud Admin at Primary S.A.)
Vendor

Nice review!
I would like to replace the cisco asa that i have in production... Annoying CLI, and other stuff that make manage that device a really painful experience (im ccna, almost ccnp).
Fortinet is one brand that i will evaluate, this review helpme, thanks!

author avatarNetworkEng896
Real User

Luciano, thanks for the kind comments on my review. IT Central Station asked me to comment on the Fortigate product and I tried to give it a fair but firm evaluation of my user experience to date. I'm glad you found it useful.

author avatarOrlee Gillis
Consultant

Hamza, how has Fortinet's new feature, "Policy Learning Mode" affected your understanding of which restrictions to apply and which aren't relevant?

author avatarHamza_Farhan (A10 Networks) (A10 Networks)
Real User

This feature gives you what we called "Network Visibility" by applying all security profiles such as IPS/IDS, App Control, Web filter .. etc all in monitoring mode to help building effective security policy between different network zone(s). But first you need to understand what type of traffic passing through your network by using different tools such NetFlow but Fortinet added that feature with 5.4 firmware so need for you to use multiple tools to gain such network viability.

author avatarAndrew S. Baker (ASB)
Top 5PopularConsultant

Great review. I was going to disagree with you about the CLI documentation, but I found that the examples are really missing for the common use cases, as you stated, so I had to agree.

The cookbook is getting better, but it's not yet comprehensive enough. Very good platform.

I also wish there were elements that you could rename without having to reload an entire config, but I am happy that you can easily search/replace a config and then replace it.

-ASB