What is our primary use case?
Our client was at the start of a network automation journey. They were a multi-brand network environment and they started investing in the FortiManager to support their vision of network and security orchestration.
That was their first step in a series of steps to build up their security capabilities or at least to get better visibility on the security topics within their environment. With a different team, they also deployed the Nessus and Lansweeper in the same environment to do automated vulnerability sweeps. Before I left that customer, there were plans of deploying additional Fortinet products - FortiAnalyzer, for example. I left the customer team in February this year, so I'm not updated anymore on what's happening there.
What is most valuable?
This was the first time for me to work with the FortiManager or a similar product. It was an interesting learning for me personally, to understand how we could do centralized management of these firewalls. At the same time, while we were deploying the solution, I considered how useful it would be in collaboration with other Fortinet products, for example, the Analyzer, and the FortiSIEM, to really get automated security responses. That's what the vision was.
To have a quicker response to security events, the customer wanted to eventually acquire the capabilities to do automated security responses, just to make it faster to respond to security events. Even without the security orchestration, just the fact that the customer could request the firewall team to configure a job that would roll out a configuration on the firewalls and it could be deployed across all the firewalls through the FortiManager. That was a big improvement compared to deploying the new firewall rule on each firewall sequentially. So being able to roll it out to all the firewalls in the same change, was a big improvement in terms of being able to respond more quickly to any security events.
The initial setup was straightforward.
What needs improvement?
Within the management of some features on FortiManager, specifically the management of user objects used for VPN service, FortiManager is quite weak. This was the case as of the time when we deployed them, which was one software cycle ago. I don't know whether that deficiency was fixed, however, we found it was easier to make changes to the VPN user objects, and local user objects. It was much easier to make the changes directly on the firewall than with FortiManager because in FortiManager you have to go through different windows, and even the CLI, in order to make the changes to the user database. It's just a matter of improving the UI, being able to manipulate objects that could be manipulated using the firewall GUI for example. It's just about expanding the features of the product so that whatever you can do on the firewall, you can also do it at the same level of convenience on the FortiManager.
For how long have I used the solution?
I used the solution for a while. I used it just last year. The project ended in February this year, so it has been several months now since I last touched FortiManager.
What do I think about the stability of the solution?
The solution was stable. I left that customer last February, so I don't know how it is now. At the point I left, it was stable.
What do I think about the scalability of the solution?
With regards to scalability, with the on-prem solution, I would say it won't be as scalable as a more virtual solution, either on the cloud or on-prem. With virtualized environments, you can scale easily. With appliances, you do have hard limits in terms of capabilities. Once the number of devices exceeds the limits of the product, then you have no choice but to upgrade to a higher model of FortiManager.
We have two clients who use FortiManager in their environment.
How are customer service and support?
The overall support was okay. We only had issues really when we raised several tickets to help solve the synchronization of the user objects, I felt it took much longer than it should have. It took several weeks before we finally definitively were told it won't work and this is what we need to do. Therefore, it took much longer than I felt it should have taken. For other topics that we raised during the deployment, they were quite helpful, however.
How was the initial setup?
I helped the project team in implementing it. It was the first time that we implemented FortiManager.
The initial setup was straightforward. If you wanted just to do the basic configuration, it's quite straightforward.
That said, it was straightforward except we had some big issues, and big challenges in our first attempt to put all the devices in the same ADOM as each device had a fair amount of custom firewall rules and custom firewall objects already existing, and each firewall at the branch site was also acting as a local VPN hub.
We had a lot of local user objects and we discovered quite quickly that when we had a lot of user objects for the same user, but on different firewalls, when we wanted to put them into the same ADOM, it created a huge challenge in synchronizing user objects because these user objects on different firewalls are considered to be different user objects owned by the same physical person. They had the same username and the same authentication credentials, so it created an issue in synchronization.
Eventually, after consulting with Fortinet, we had to redo our design. That was the only hiccup we had in the design during implementation. Had we known about this requirement, had we understood that particular technical constraint earlier, our design from the beginning would have been much different.
The deployment itself took four months.
We had two technical people who set up the solution, however, neither were full-time. You only really need one full-time person.
What's my experience with pricing, setup cost, and licensing?
The licenses that we purchased as part of the project were for three years. I don't remember the price anymore. I can't recall the monthly license fee. In any case, the licenses were purchased for three-year periods.
What other advice do I have?
I'd rate the product eight out of ten.
Which deployment model are you using for this solution?
On-premises
Disclosure: My company has a business relationship with this vendor other than being a customer: Implementer