What is our primary use case?
We used FG-90D as UTM device to protect some users and servers, and also to enable inter-vlan routing with advanced security policies inside our lab zone. We also use FG-500D in transparent mode in front of Cisco ASA for advanced and high performance protection of clients' traffic by applying AV, IPS, AntiSpam, App.Control and DoS-protection profiles.
How has it helped my organization?
Better manageability (opening and closing ports/services/addresses is very quick).
Outstanding reporting tools when coupled with FortiAnalyzer (Fortinet's log collector and reporting tool).
Better security posture.
What is most valuable?
Good VPN, both IPSEC and SSL (web-mode, tunnel-mode). An engineer/network administrator has tools to debug VPN issues that can occur during tunnel setup with other vendors' equipment.
VDOMs are very useful when you need to grant admin role to clients separately. VDOMs in FortiGate can be represented in FortiAnalyzer's ADOMs (administrative domain), which can have different log storage policies, event handling and alerting configurations.
Ability to capture packets going through any interface of device (and VM too). You can set number of packets, filter out packets by IP and port number for particular troubleshooting purposes, then download a .pcap file from web gui and analyze it in your favorite programm.
Human readable firewall policies with editable security policies and addresses in single page. This is very useful and time saving feature.
Bulk CLI commands are uploaded via gui in script file (portions of config file).
Advanced routing (RIP, OSPF, BGP, PBR). It gives you a seamless and simple integration into a large network.
IPS and AV are working very well.
SSL Inspection and CASI (Cloud Access Security Inspection) profiles.
Straightforward SNAT and DNAT.
Rich logging options.
LDAP integration variants for any case (scalable approach).
Can work as explicit web-proxy and supports web-caching.
Straightforward HA with different redundancy schemas.
What needs improvement?
I think there could be more QoS features in GUI. FortiGate has Traffic Shaping that is enough in most cases, but sometimes I just need 802.1p prioritizing (Class of Service) and manual queue assignment. Also a few ports supporting native vlan while in trunk mode would be very helpful in some cases.
For how long have I used the solution?
What do I think about the stability of the solution?
Small models (up to FG-90) are build on SoC (System on a Chip), so they need to be mounted in places with enough airflow and right temperature, otherwise they could hang, slow down traffic processing, but more often you just can't log in to the device's web-interface (reboot won't help you until it cools down). Actually, that's not an issue. It is a technical requirement for operating environment to be 5-40 degrees (but at 35 degrees with poor airflow there may be issues mentioned above).
What do I think about the scalability of the solution?
For large scale deployment I would suggest to look at FortiManager, a central management point for large amount of FortiGates. I have tested the solution and found it quite useful. I could download configuration from any device and install edited list of policies to several devices simultaneously through a couple of clicks. Also I liked functionality of clearing out Address objects list from unused entries. It can be configured to be a central repository of firmware and updates, and a local rating server (url and antispam rating services) which can improve rating lookup latency value.
How are customer service and technical support?
Technical support is good (in average).
If you previously used a different solution, which one did you use and why did you switch?
We used an old IPS from Cisco. We switched because of End-of-Support on that device.
How was the initial setup?
Initial setup in plain networks is very straightforward. For large environment you should prepare beforehand, because FortiGate is a highly-tunable and feature rich product, so you must have a plan with many considered details.
What about the implementation team?
We did not engage a vendor team. Documentation is good enough to implement through an in-house team.
What's my experience with pricing, setup cost, and licensing?
Setup cost may be not so low, as you expect, because it depends on different factors, but TCO for 5 years may pleasantly surprise you.
Which other solutions did I evaluate?
Palo Alto, Cisco ASA, CheckPoint
What other advice do I have?
Many interesting things are hidden in CLI, they can help you in different situations. Web-interface (GUI) is primarily intended for day-to-day routine.
Don't underestimate FortiAnalyzer. It can give you a better understanding of what is going on in your network. When FortiGate sends logs to FortiAnalyzer, FortiAnalyzer inserts received log data into database. Predefined and customizable data queries, charts and reports can significantly help you by visualizing problem points, so you can thoroughly investigate security events and traffic behavior anomalies.
FortiGate is a constantly evolving product, so pay attention to FortiOS version it runs.
Disclosure: I am a real user, and this review is based on my own experience and opinions.