We were looking to upgrade to the latest standard and increase speed. The reason we went with Fortinet is the whole system Fabric, with the FortiGate and Fortinet Wireless product.
We were looking to upgrade to the latest standard and increase speed. The reason we went with Fortinet is the whole system Fabric, with the FortiGate and Fortinet Wireless product.
One of the big reasons that we kept moving in the Fortinet direction, expanding the Fabric, is that we wanted to tighten security from within our network. The students like to play a lot and we had to protect from the inside, as well as the outside. As people know, the users are becoming more and more of a threat. Having the single pane of glass, by using the Fortinet Security Fabric, allows us to tighten security, and more easily and quickly create additional VLANs to help protect data. Rules in the firewall mean we can protect data and systems so that, should anything go wrong, any security issue is held to an individual device.
Since using the product - and we have security issues like everybody does, all the time - with the Fortinet Security Fabric all the way to the endpoint, we've been able to make sure the security threat is isolated to that device. The FortiClient usually quarantines it and that saves tons of time. Before, when we would have a security breach, we would have to go to a different system and check and trace it. Now, when there's a security breach of any kind, it gets quarantined quickly. And because of the interaction of the Fabric, we're able to see exactly how it was quarantined, and it saves us an incredible amount of time, in reacting to those security issues.
The most valuable feature for us is the way everything is accessible through FortiGate. Having that single pane of glass to see everything makes it really easy to use, to set up and design the SSIDs and the interaction with the VLANs that you create. It just makes it that much easier.
We can deploy a tunnel-based VLAN and SSID, for something that happens at the last minute, in a matter of minutes, because of the interaction between the FortiGate, the FortiSwitches, and the FortiAPs.
The thing we like best about the single pane of glass is that by looking at the screen on the FortiGate, we're able to actually see the status of the access points. It pulls in client data from the access points, so we can see who is connected and the connections that are working. We can follow the connection all the way through the firewall, to the end destination. It really assists in troubleshooting any kind of connection issue or filtering issue we may have.
In terms of the Fortinet Security Fabric, one of the reasons we kept expanding with, and choosing, Fortinet products is because of that Security Fabric. We are continuing to expand on that. Currently, we have, of course, the FortiGate, and that Fabric is extended to the FortiSwitches we use, the FortiAPs, as well as the FortiAnalyzer, which is used to collect logs from all the devices, from both the wireless and the FortiGate.
An example of how that's helpful is, if we're trying to troubleshoot a problem - and being a school, we filter data heavily - it takes a while, sometimes, to track down a problem that users might be having with a website. With it all being tied together, we're able to actually trace it right down to what website might be categorized incorrectly, so we can get that corrected so that the users aren't interrupted.
We also have the FortiAuthenticator which authenticates users seamlessly with the FortiClient that's on their devices. It also polls Active Directory Servers, so we have transparent identification of all of our users. That allows our devices to get on the network, yet they're viewable: We know who it is, what device it is, and we can track it all the way to where they're going, without any interaction from the user. It makes it a lot simpler to manage a large number of people and devices.
We're a reference customer for Fortinet, so I get a lot of calls, usually from other schools or colleges, that are looking at deploying the product. When talking to them, they tell me about some of the things that they're looking at. There are some other companies out there that have a feature that's on the access point that allows them to mimic users.
For example, if you have an access point in an area, and people are complaining about an issue, the feature that I'm being told is on a competitor's device would allow you to connect to that access point, and actually impersonate a connected device. You're able to troubleshoot any issue that an end-user may be reporting, and hopefully duplicate it. To me, that seems like an amazing feature.
I would like to see something like that in the Fortinet solution.
Like with any new solution that you put in, with this kind of complexity, it takes a little bit of time to stabilize. Anything that you do to a network takes a little bit of time for you to get to the point where it stabilizes.
It's been fairly stable right from the start. It's not like we had any major issues or outages. It continues to get more and more stable as they address the bugs. When I talk about bugs, a lot of people might think, "Well, it's got some bugs in it." But when you look at the details of the number of the products that you're using in the Fabric, it is understandable that they do have to work some of that stuff out. None of the bugs cause any operational issues.
Most of the bugs we see are a little inconvenience, where we have to do something in a slightly different way until the fix release. With the next release, it becomes more and more stable.
We knew up front, when we did the deployment, that we were going to have to deal with a few more bugs because we purposely went with the new version. We decided we wanted to work at it until we got stable on the new version. Once we get there, we'll probably step back and wait a little bit until the next version comes out. Right now, we're FortiOS 6.03 and 6.2 is going to be coming out, probably sometime next year. We'll probably move to 6.2 six to nine months, or longer, after it's out, depending on what features we want.
It's extremely scalable. As long as your firewall is big enough to handle your needs, and the connection, the product is extremely scalable. They're very good at supporting products for a decently long amount of time.
When we did the access-point switchover, we upgraded our firewall. The firewall we replaced was six years old. We would have been able to stay on that firewall, but at the same time, because of all the other work we were doing, we wanted to expand it, knowing that we were probably going to keep it for an extended amount of time.
They're very good at keeping support on the product; updates as far as they can. At the time that we retired our product, it was just about to the point where it was not going to support the next versions of the software. Even though we only had it for six years, we did buy an older model when we bought it because of cost. So the product was actually an eight-year-old product. And it did very well.
Unfortunately, with any product, as detailed as tech products are today, you tend to have use tech support. Even before, with Cisco, we had little tech support issues, because of the way technology and security is blowing up so quickly, and the detail in the all the products. All products have small issues or bugs or may have a little glitch where they don't work.
Fortinet has them, but they're very good about helping you work around them, and then getting a release to fix that bug. We did run into a few of them, but none of them were major bugs that caused a huge interruption. They were minor bugs.
Tech support is pretty good at analyzing it, and saying, "This is what it is," and coming up with a solution to work around it.
We even have quarterly reviews, where they come onsite and we sit down and we talk. We talk about what's going on, what we like, any issues that we have. They've been really great. They'll say, "Well, what are you doing after this?" They don't take up a ton of our time, just enough to nudge us in the right direction.
The sales engineer is someone else who, if I have a question or anything, I can shoot an email his way and he'll give me an answer right away.
And if I have a ticket in that might be more major, something that I need a little bit more quickly, if I shoot them the ticket number and ask them to escalate it, they'll get more people involved, to work at getting a workaround, or a solution for it. They're really good about that.
Our previous wireless solution was Cisco. That was our first wireless solution. We used Cisco 3500s and 3700s. We needed to upgrade so we could handle more bandwidth, because the access points that we had were starting to get overloaded, and older.
When we were looking for a solution, that's when we did the tests. We got a few in, in a couple of buildings, and did some tests. We wanted to see how the Fortinet solution worked. That's what really sold us on it: how easily they integrated with everything else - because we had the FortiGate - and the way it just popped into the environment.
As a result, we started looking further into the switches. When we did our upgrade, we upgraded the switches at the same time that we upgraded the FortiAPs. We were able to greatly increase the security on our entire network.
The setup of the FortiAPs is very straightforward and very easy to do. We chose to pre-deploy them, because of how we were going to have to deploy them, so that I had a team put them up and they were already labeled, because of the quantity that we were doing. Pre-deploying them, so the system already had the names on them, made it a little easier. All I had to is have people go hook them up. Once they hooked them up, I could complete the configuration, and it was super-easy, super-fast.
When we did the initial deployment, we did one building in one day, and we monitored that building and watched for any issues, to make sure that we had the settings and configuration correct. Then we turned around and we did the remaining nine buildings in a week. That was a total of 400 APs.
It went really smoothly. The interface and the original setup make it really easy. I was able to have a bunch of people putting them online and, as they did, I could see them come online. The way that the interface is built, being able to assign a profile, and having all that pre-built, it went really quickly.
Our deployment strategy was a staged implementation. Originally, we did a test, just to make sure we were going to be happy with the performance. Then, when we did the one building, that was the model. We had a little bit of time between that building and the rest, so we could tweak the implementation. That really assisted in us being able to do the number that we did in that short amount of time.
When I say it took us a week to do all those buildings, that included not just the AP part of it, but all the things we had to do to the network to allow everything to work. In a school setting, it's a lot more in depth, because that includes filtering which is a great deal more detailed than it is in most enterprises.
The neat thing about Fortinet technology is that it's so intuitive, it's so easy to use, anybody who is a network engineer is able to understand the technology and get it working pretty well. Documentation, cookbooks, and videos are available to help you. If you ever need any help, calling the Support Desk you get right through and they'll point you in the right direction.
Through the whole deployment, I only had two or three calls to them, and they were more about best practices: "We're doing it this way, would it be better if we did it the other way?" In some instances they said, "Well, you probably oughta test it." We did some testing so that we were able to make sure that we had the best solution for our situation.
We started testing about two years ago and deployed it across the entire school corporation about a year ago.
Fortinet's pricing and licensing is very reasonable. There are a few things that are a little bit different.
One of the reasons that we chose it is because we're a school and we're always looking at the bottom line. We've gone with this solution because it's been able to reduce our cost in other areas to get the same results. The amount of money that we save is allowing us to do the rest of the stuff right. Because of the savings, we're able to do some of the security things that, previously, we couldn't do because our hands were tied, due to the extra costs. We have realized somewhere around 30 percent savings. That has allowed us to focus more on the end-user experience, rather than on security and management.
There is one thing that I find extremely strange, and this something that is unique to Fortinet, and it isn't a positive at all. Any time I have an RMA (return merchandise authorization) if it's not considered a "DOA," which is within the first 120 days, even if I have paid support on the device, I have to pay to return the device back. For a customer like us, that's a little bit more difficult because of the way funding works and where we're located. It makes it a very big challenge to get devices back to them.
We just had an issue with an AP that was covered with a three-year extended warranty, and it failed. They sent us one right away, but we had to pay to ship the other one back. That's just not an industry standard at all. I could understand it more if it was a device that I had chosen not to cover, but on a device that you actually are paying premiums for, that's just not the industry standard at all.
We looked at Aruba, we looked at Cisco Meraki, and we also looked at Aerohive. They were all good solutions, but the reason that we chose the FortiAP solution was because of that single pane of glass and that tight integration with FortiGate. It made it so much easier to manage, and so much easier for us to do things if we need to something at the last minute. If we need to create a network for someone at the last minute, we are able to do so very quickly. The other ones just didn't have that.
I can't stress enough: If a customer already is a FortiGate customer, the cost to go to the FortiAP is incredibly affordable, because they already have the controller. Now, Fortinet does also have a separate Fortinet Wireless controller, and it does add some extra bling features. We are fine without those features. A lot of those extra features are tight integration with the port of presence, which is used to collect email addresses, and for monitoring. It's something that you'd use more in a shopping mall setting or a store.
Make sure that you take the time to do a really good evaluation of the product. Make sure that you're happy with all the aspects of how it's going to fit into your environment. I'm always the type who wants the best solution, whether it be with a different vendor or not. That's one of the things that I was concerned about. I wanted the very best access point I could have.
I was extremely surprised by the single-pane-of-glass management. I couldn't understand all the marketing, how they really push it. It's something that you don't really realize, until you're actually working with it, how powerful it is and how much time it saves you, and how much, in the long run, by going with the Security Fabric, you get increased security cost savings, and a better view of what's going on.
There are two of us who use the solution. I do most of the configuration and setup and my colleague does our one-to-one security in our system networking. He deals more with the filtering, the compliance part, with the desktops. If there's a network issue, or connection issue, I deal more with that.
Our relationship with Fortinet started out with the firewall. At the time we were looking for a solution, we used a product from FatPipe which did load balancing on multiple ISP lines. At the time, we had multiple lines - we had three different internet service providers because that was how we had to do it to get the bandwidth that we needed. We were using FatPipe to allow us to load balance our outgoing traffic over the multiple ISPs, and coming back in.
We worked on coming up with another solution and, at the last minute, CDWG called us and asked us if we would talk to Fortinet because they thought it would be a good fit. We did talk to them and were impressed. We went ahead and got the device in and, not only did it solve the problem we were looking at for less than half the cost of the other solutions, but it also replaced three other devices at the same time.
We just kept expanding, testing out its features. Eventually, we moved our web filtering to it. We installed the switches. We move to the APs and kept expanding on the Fabric. We moved our antivirus/anti-malware to FortiClient, and FortiClient also acts the single sign-on agent. It does the vulnerability assessment, scanning for programs that need patching, security patches, and then it auto-patches them.
It has slowly become a more cost-effective way for us to manage our security and our entire network, at a little bit of a reduced cost, and with a much better view of what's going on.
In terms of increasing the solution, we use the FortiAnalyzer but we're getting ready to switch to the FortiAnalyzer appliance, to increase our logging capabilities. We've finished evaluating the FortiClient EMS for Chromebook portion and we're getting ready to buy some licenses for those. We currently filter Windows and IOS devices using the FortiClient EMS solution, but we're adding support for Chromebooks and we're adding a few Chromebooks, so we're expanding there.
For the FortiClient piece, on the Windows and IOS device side, there's a Telemetry piece. It ties the FortiClient EMS and your FortiGate together. It allows your FortiGate to actually increase compliance for the FortiClient piece, which is the security filtering and single sign-on piece that sits on the client. We are purchasing that.
We're looking at adding the threat detection service, but we're probably going to wait until renewal time. With all the data that you collect, because you have the Fabric, the threat detection that takes a deeper dive. It analyzes and it looks into your systems further, all the way through to the endpoint. It can give you insight into the issues that you may or may not have known that you have. We'll probably add that piece next year.
We purchased through a reseller. We have a really close partnership with CDWG and they were the ones who introduced us to Fortinet. Our experience with CDWG was a positive one because it opened the door to other opportunities within the same product.
We've always had a really good relationship with them. Somehow, I've been dealing with the same salesperson at CDWG for 15 or 20 years now.