The UTM (application control) features have been very important, because they have solved many issues that other firewall providers have not developed as Fortinet has.
A clear example of this feature advantages is blocking and allowing the Google suite. For example, without UTM, we would not have been able to execute some customer requirements like this one:
A customer asked us that some host on their LAN is going to be assigned to be a POS workstation. They needed that workstation to have permissions to some applications and some URLs, and they needed to block users from opening sites like YouTube, Google+, and Google Drive, but they needed to get in to some POS URLs hosted in the Google cloud. We were working with rules allowing some specified URLs, but it didn’t work because the subnetting IP address the customer needed to be allowed, sometimes matched the YouTube service. Google support engineers told us they rotate their IP addressing subnets to be more secure and they do not always attach an IP address to a domain name. So, sometimes the customer’s workstations were able to open YouTube sites too.
The way we could block YouTube and allow the customer POS URLs sites, was by configuring an application control sensor, where we were able to block some categories like this:
Another requirement was to allow some specified applications, so we configured the next sensor structure:
Another customer reported to us they had issues working with Gmail attachment files; they could not do it. Executing some packet captures and with the Fortinet TAC help, we found they were using the latest Chrome versions that use the QUIC Google protocol, which is not supported by Fortinet because it is not a valid protocol. We proceeded to block the QUIC protocol using an application control sensor.
After this blocking action, the customer was able to work without any issue.
Improvements to My Organization:
It can block applications in level 7.
Even though other companies have latest-generation firewalls, FortiGate’s database is bigger.
Room for Improvement:
They could improve performance with all the UTM features working.
Sometimes, we have seen that when you enable the antivirus sensor, customers report slow web browsing. We know this is normal, but we would like to know if it is possible to make feel the customer their web browsing is fast with not as much delay. The antivirus sensor analyzes all the protocols and packets we specified, and this is an important performance affectation. In my personal point of view, I don’t think it is a serious issue, but we receive many reports from users who browse the web with antivirus sensors applied to their firewall policies.
Use of Solution:
I have been using it for seven years.
It is working in route mode, with all UTM licences active; it has FSSO configured to give permission to the users. It is configured to provide VPN SSL service.
I have encountered stability issues only when we enable all the UTM features.
I have not encountered any scalability issues.
Technical support is 9/10.
We have been using FortiGate solutions for eight years. We have been upgrading when solutions in the family become unsupported.
The initial setup is easy; no issues with doing it.
Other Solutions Considered:
My company did not evaluate other options. They decided to purchase FortiGate directly.
Work a lot with all of the UTM features because they can be very helpful right now with configuring firewall policies. The policies became very whole.
Disclosure: My company has a business relationship with this vendor other than being a customer: My company is a Fortinet provider for Mexico.