Fortinet FortiGate Review

The UTM (application control) features have solved many issues that other firewall providers cannot, such as Google suite blocking and allowing.


What is most valuable?

The UTM (application control) features have been very important, because they have solved many issues that other firewall providers have not developed as Fortinet has.

A clear example of this feature advantages is blocking and allowing the Google suite. For example, without UTM, we would not have been able to execute some customer requirements like this one:

A customer asked us that some host on their LAN is going to be assigned to be a POS workstation. They needed that workstation to have permissions to some applications and some URLs, and they needed to block users from opening sites like YouTube, Google+, and Google Drive, but they needed to get in to some POS URLs hosted in the Google cloud. We were working with rules allowing some specified URLs, but it didn’t work because the subnetting IP address the customer needed to be allowed, sometimes matched the YouTube service. Google support engineers told us they rotate their IP addressing subnets to be more secure and they do not always attach an IP address to a domain name. So, sometimes the customer’s workstations were able to open YouTube sites too.

The way we could block YouTube and allow the customer POS URLs sites, was by configuring an application control sensor, where we were able to block some categories like this:

Another requirement was to allow some specified applications, so we configured the next sensor structure:

Another customer reported to us they had issues working with Gmail attachment files; they could not do it. Executing some packet captures and with the Fortinet TAC help, we found they were using the latest Chrome versions that use the QUIC Google protocol, which is not supported by Fortinet because it is not a valid protocol. We proceeded to block the QUIC protocol using an application control sensor.

After this blocking action, the customer was able to work without any issue.

How has it helped my organization?

It can block applications in level 7.

Even though other companies have latest-generation firewalls, FortiGate’s database is bigger.

What needs improvement?

They could improve performance with all the UTM features working.

Sometimes, we have seen that when you enable the antivirus sensor, customers report slow web browsing. We know this is normal, but we would like to know if it is possible to make feel the customer their web browsing is fast with not as much delay. The antivirus sensor analyzes all the protocols and packets we specified, and this is an important performance affectation. In my personal point of view, I don’t think it is a serious issue, but we receive many reports from users who browse the web with antivirus sensors applied to their firewall policies.

For how long have I used the solution?

I have been using it for seven years.

It is working in route mode, with all UTM licences active; it has FSSO configured to give permission to the users. It is configured to provide VPN SSL service.

What do I think about the stability of the solution?

I have encountered stability issues only when we enable all the UTM features.

What do I think about the scalability of the solution?

I have not encountered any scalability issues.

How are customer service and technical support?

Technical support is 9/10.

Which solution did I use previously and why did I switch?

We have been using FortiGate solutions for eight years. We have been upgrading when solutions in the family become unsupported.

How was the initial setup?

The initial setup is easy; no issues with doing it.

Which other solutions did I evaluate?

My company did not evaluate other options. They decided to purchase FortiGate directly.

What other advice do I have?

Work a lot with all of the UTM features because they can be very helpful right now with configuring firewall policies. The policies became very whole.

Which version of this solution are you currently using?

200D
**Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a Fortinet provider for Mexico.
More Fortinet FortiGate reviews from users
...who work at a Comms Service Provider
...who compared it with Cisco ASA Firewall
Learn what your peers think about Fortinet FortiGate. Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
523,431 professionals have used our research since 2012.
Add a Comment
ITCS user
Guest
8 Comments

author avatarit_user125442 (Dono at a tech consulting company)
Consultant

Hi Roberto,

as Fortinet Partner, I think that your project was not well dimensioned for your amount of users, kind of traffic and features to implement. This is the best solution.

I appreciate if you can share model and users/sites involved.

If you need some help, pls feel free to stay in touch.

author avatarit_user500160 (Senior Telecoms Engineer with 201-500 employees)
User

Still confuse which one is better firewall solution I-e checkpoint or fortigate

author avatarit_user378174 (IT Infrastructure officer at a financial services firm with 501-1,000 employees)
Vendor

What is your recommendation about cyberoam 100ING

author avatarit_user500160 (Senior Telecoms Engineer with 201-500 employees)
User

Never overheard this product. What technology background for this

author avatarHamza_Farhan (A10 Networks)
Real User

**Sizing is ALWAYS an issue for many people even for Sales Engineers / system Engineers. Number of users is not always the baseline when selecting the best model because you have other services running on your network and other factors that you need to take in consideration such as do you have IPSec VPN or not, SSL VPN users , WiFi users ….etc.

**You need to use some tools to collect info about ingress/egress bandwidth to get general idea about your network throughput. Otherwise, you might have some performance issues and after working with TAC they will end up telling you that the unit in place is not able to handle such traffic.
**No matter if you are talking about ASIC based or multi-processor UTM, at moment you enable All UTM features, the throughput become around %50% of overall throughput.

**Checkpoint vs. Fortigate :

-Price wise, CP is way expensive compared to Fortigate
-Both share the majority of features
-Troubleshooting issues with CP is complex and I don’t like the complexity of the product because it makes it hard to troubleshoot

author avatarit_user461325 (User at a energy/utilities company with 10,001+ employees)
Vendor

A couple points to keep in mind. The throughput numbers for fortigate are pretty much fiction. This isn't insurmountable if you size it right up front. A 600C is rated at 1.3GB throughput with everything enabled in but in reality fails almost constantly at 500Mb. Also, fortigates fail open, so when the box is overloaded all traffic is passed and nothing is inspected....not ideal if security is your priority. On the other hand checkpoint and fortigate are not in the same league in terms of cost either so I'm not sure they are really direct competitors, and checkpoint has it's problems as well, such as needing a 370Mb thick client to properly manage the firewalls (yes there is some web management options but it isn't everything you need to do, at least it wasn't at the end of 2015).

author avatarAlejandro Ortega
Real User

Roberto:
¿Has probado o evaluado Watchguard? Yo he probado ambos equipos con todas las funciones UTM activadas y en WG no he encontrado ningún problema de estabilidad ni delay con todo activado, incluso superando la cantidad de usuarios recomendados por el fabricante, con mis clientes siempre les "presto" ambos equipos para que ellos mismos evalúen y en el 90% de los casos se quedan con WG, por varias razones que no considero pertinente comentar en este espacio.

Saludos.

Roberto:
Have you tried or evaluated Watchguard? I tested both systems with all UTM features enabled and WG have not found any stability problem or delay with all activated, even exceeding the number of users recommended by the manufacturer, with my clients always ready them both systems so that they themselves evaluate and in 90% of cases are left with WG, for various reasons I do not consider relevant comment in this space.

Greetings.

author avatarOrlee Gillis
Consultant

Hamza, I think you may find our product comparison between Checkpoint and Fortigate interesting:

https://www.itcentralstation.com/products/comparisons/check-point-utm-1_vs_fortinet-fortigate