What is our primary use case?
I've been doing pre-sales engineering for most Fortinet products. Wireless is one of our main products, where there's a good market. I have been involved in a few of the implementations including the designing. One was a warehouse and there was another one where we helped design a wireless network for a public youth center. The youth center was a fairly big building. There was the basketball court and they had the library, etc. I designed the network around that.
There was another where we did the design for a retail shop. For them, the requirement was high-performance WiFi because there were going to be a lot of customers in the retail shop. They needed a very strong WiFi without having any network drops.
How has it helped my organization?
Nowadays, the biggest problem in modern networks is that you have one vendor for wireless and you have another vendor for your SIEM, another vendor for firewall, and an entirely different vendor doing anti-virus. The problem here is that if somebody were to infiltrate your network, you would have to pull information from all these different products. It goes without saying that these different vendors' products don't talk to each other. That means you would have to manually correlate all this information. With the faster threats that we have today, by the time you correlate anything and then come to a conclusion, the damage is already done.
But with the Security Fabric, all these products - let's say you have Fortinet Wireless and you have FortiGate as your firewall and on the endpoints you run FortiClient - they talk to each other, and you have 100 percent visibility across the entire network. If somebody, for example, from the accounting department brought in a USB that they picked up on the road and plugged into their computer, and it had a virus or a botnet, since you have visibility across the entire network, the IT manager would be able to clearly see this and take action.
But for most people, since their anti-virus is just one of their products, it's not going to inform the firewall or the switch or the WiFi that it has a problem. It's only going to be the anti-virus that will, hopefully, will catch it. If it doesn't catch it, that virus or problem can spread throughout the network without anybody noticing.
The two main points of the Security Fabric are the visibility and knowledge-sharing. Given that we have the Security Fabric properly implemented in the network and we have a FortiSandbox in place, if a Zero-day attack comes into your network, nobody will be the wiser. But your computer's anti-virus detects it as a suspicious file. It will load it up into the sandbox and the sandbox will run that program and give a red light when it realizes that it's a bad program. Since most of the products in the Security Fabric can talk to the sandbox, the sandbox will let every other point in the network know that it was a bad file. So from one of those files being uploaded into the sandbox, the entire network security infrastructure will have a new signature for that Zero-day, which doesn't happen in any other cases.
What is most valuable?
One valuable feature that comes to mind is the Network-In-Control. Usually, when there's WiFi, it's the WiFi client - your phone - that decides which AP to stick to. Your phone will stick with the closest AP, even though there may be another AP that's a bit farther away that has better bandwidth. Since your phone only decides based on the strongest signal, it would stick to the one with the stronger signal, the one that may not have enough bandwidth.
But with Fortinet, there is a feature called Network-In-Control. It's the AP controller that decides what the clients are going to connect to. In this case, the phone doesn't choose which AP you're connecting to, it's the wireless AP controller. Even though your phone sees, let's say, two APs, since the wireless controller has visibility into and access across all the APs, it knows the best AP for the client to connect to. This way, the controller makes sure that none of the APs is over-crowded, and the spectrum is used properly.
Fortinet Wireless has two appliances. The first thing is the wireless controller which does the AP setup and controlling. But it's the Fortinet Wireless Manager that gives you all the visibility, the logging and monitoring, etc.
If you do have a FortiGate Firewall somewhere in the network, you can connect the wireless controller to that. The Fortinet holistic approach is called the Security Fabric. That is the single-pane management for every Fortinet product in a single network. You get 100 percent visibility from a single point, which is, most of the time, the FortiGate. You can see everything that's connected to the FortiGate, whether it's a switch or a wireless AP or a wireless controller or any other Fortinet product. If you connect them through the Security Fabric you can actually see what's happening from end to end. If you're at the perimeter FortiGate and there's a client that's connecting through it, maybe six floors down the line, you can just go and have a look at the client end point from the perimeter FortiGate. And if that end point is compromised you can take it off the network easily.
What needs improvement?
There are three methods that Fortinet offers wirelessly. The first is industrial, where you have a wireless controller separately and you don't have a FortiGate in the equation. The second is what we call integrated: You get a FortiAP that connects directly to your FortiGate. The third is cloud AP where you just have the AP and you control it through the cloud. On that, they could improve the management side of it. The management side is a bit lacking in its reporting.
One of the main features that I see as lacking in any of the Fortinet products is the reporting. If you want to have proper, end-to-end reporting, you must purchase the FortiAnalyzer which is the dedicated reporting and analyzing tool. For a small customer who has only a few APs, you can't justify asking them to run the FortiAnalyzer because that will incur some amount of cost. If Fortinet could offer some better, built-in reporting, that would be a point of improvement.
For how long have I used the solution?
One to three years.
What do I think about the stability of the solution?
The stability is fine on its own, but we can do high-availability where we have multiple wireless controllers, in case one goes down.
What do I think about the scalability of the solution?
Scalability is pretty high. In a large enterprise, the single largest box we have is the Forti FWC-3000 which can hold up to 30,000 clients. That's just one box. If we need more I'm sure we can scale more.
How is customer service and technical support?
I haven't had the chance to see the Wireless technical support side of the operation. Fortinet Wireless' tech is pretty knowledgeable about what they're doing so I would assume that their tech support caters pretty well. But I can't give a solid answer because I haven't had any experience with them.
I do come in contact with their tech support pretty often when it comes to dealing with FortiGates, and their help is very good.
How was the initial setup?
If it's an industrial setup, it's a bit complex. You need to know what you're doing. An everyday manager wouldn't be able to set it up properly because you need to know how to secure it properly and set all the settings.
For an industrial deployment, if you get engineers who are knowledgeable, it would be pretty easy for them. They could set it up within a day. The integrated WiFi, where you connect the AP to the FortiGate, will take a couple of minutes. The cloud WiFi is actually a zero-touch deployment. You can just ship it to a branch office, have them connect it to the internet, and it will configure itself automatically.
In terms of an implementation strategy for an industrial deployment, the first step would be to do a proper wireless survey by somebody who understands the field. Something that I have seen, where most people go wrong, is that the network engineers or the network administrator in the company think they how to design the network. In the diagram they place the APs where they think would be the optimal placements. Later on, when they've done the purchase and setting up, they figure out it's not optimal. Either they have wasted money by putting in too many APs, or they have not assigned enough APs to power the entire network. When it comes to wireless LAN networks, step number one should be getting a proper WiFi survey done to suit your requirements. After that it's easy.
The survey requires just one person. For a deployment, I'm not sure how many people will be required to set up the APs, because if it's a big conventional hall, for example, then you are going to need some professional people doing the WiFi mounting, etc. After that, configuration-wise, it is a one-person job.
I don't think that any organization will have somebody who is qualified to do a deployment by themselves. This is a niche product. If a company is going to introduce Fortinet Wireless into their network, the IT administrators would not know how to configure it. They would have to get somebody who knows it. After that, they could get training for maintaining it. The administration will then take just one person.
What was our ROI?
In terms of cost of ownership, as a WiFi solution on its own, I would say it is pretty similar to every other vendor. But, as a holistic approach to a network, it would definitely lower the cost of ownership. If the client chooses to go with the WiFi as well as security from Fortinet, all from the same company - as I explained earlier, with the Security Fabric you get 100 percent visibility and threat intelligence sharing - that would definitely cut down on the cost of ownership.
Regarding ROI, especially for people in the retail business, they can easily cater to their clients, plus they can get analytic data from the clients and make something of that data.
Let's take an example where you have a big mall and the mall management decides to implement FortiWiFi. There is one feature that these guys really like which is the analytic side of it. We can easily show where their customers have been. We can show them a wireless "heat map" of everybody who walks into the mall. With it, we can tell people who own the shops, "This is where the customers mingle the most. These are the favorite parts around the mall." That really helps clients to do something with the data. That would be a good return on investment.
What's my experience with pricing, setup cost, and licensing?
We're not cheap but we can give you better pricing than the competition if it comes to that. Licensing is pretty straightforward. We don't have any hidden licensing when you purchase an appliance. If you purchase one appliance you get the maximum number of clients and every feature in that appliance unlocked for you. You just pay for the entire thing outright.
Which other solutions did I evaluate?
In looking at Ruckus vs Fortinet Wireless and some other WiFi providers, the others are just doing the WiFi part. With Fortinet, the plus is that you also get a very secure network which is easily adaptable to the security design provided by Fortinet: the FortiGate, FortiAnalyzer, or any other feature in there. That is one of the deciding factors for organizations but, in certain cases, the fact that we can give it at a much more affordable price also helps.
What other advice do I have?
Get a good wireless plan done, get a good survey done. Also, know what you really want. Every vendor comes with 100 different features but you may not end up using all those features yourself. I'm being vendor agnostic here. If you want to do a WiFi implementation:
- Get a proper survey done.
- Know exactly what you want.
- Think about security as well.
If those three steps help you zero-in on one product, that's the way to go.
Fortinet has a very strong industrial presence because they acquired Meru Networks a couple of years ago. The industrial strength WiFi, which Fortinet is offering, is what Meru used to have. They have a couple of more technologies which the other vendors don't have.
We've seen a big jump in the market for Fortinet WiFi. We can actually provide it at a much lower cost than the competition. The plus point of our WiFi is that we don't only provide the WiFi, we also provide security with it. This relates to another problem that I see in the market. Let's take a web developer for example. The web developer is a developer who does web pages but doesn't think much about security. No matter how good a webpage is, if that page can be easily breached then it is of no use to the client. If you apply that same analogy to Fortinet, Fortinet understands security as well as wireless LAN solutions. We can easily integrate the access part of wireless with the security part of wireless. That is appreciated very much by our customers. Since they understand that, they are very happy to go with Fortinet WiFi.
I would rate Fortinet Wireless at nine out of ten because of the ROI and the TCO that we discussed, plus the ease of management. These guys they are really up on the deal. They are in the fastest moving technology industry. Whatever changes come, they implement it and do their testing very well. Overall, it's a very good product. The one feature that I am not happy about is the reporting. There's a bit of a way for them to go with that. Once they iron those things out I'm sure they'll get ten from me.
Disclosure: My company has a business relationship with this vendor other than being a customer: Distributor.
Dec 09 2018