Fortigate 3.0

[snip]

What is the MSRP, for a single seat? And a url to some current & up-to-date site/page would also be helpful :)

This is an appliance, not software. Units with full subscriptions start below $1000. How many people you put behind it is up to you, there are no per-node counts or limits.

This stuff is about version 3.0; it's not public info yet although I've been told it's no longer secret. But they have no information on their site about it yet. Of course lots of info about these units running 2.8 an be found at

-Russ.

Thank you.

Russ, I've been considering a Fortigate 50A or 60, and was wondering how (and how well) the AV capability works. Does it actually scan incoming email for viruses (at the gateway itself), or does it act as a server for pushing virus definitions to a client component (which does the actual email scanning)? The latter is more common, I think.

I've always thought it would be ideal to have AV and Spyware filtering happen at the gateway (if possible) rather than having to install software on the PC for this (where it always seems to interfere with other things). Although I've seen a number products that provide this, none of ones I've looked at have completely eliminated the need for a client component.

Thanks for any info. -Pat

The latter may be more common but I consider it inferior to the point of being nearly unworkable.

The FG units scan email (smtp, pop3, imap), http, ftp, and now with 3.0, several flavors of IM and several flavors of P2P as well. The scans are done inside the unit, including unzipping of compressed files to multiple levels if needed.

While catching viruses at the gateway is a great idea, please note that it does *not* free you from any form of desktop antivirus. There are still ways to bring viruses in to a network without going through an AV gateway -- encrypted tunnel, USB key, FDD, CD, DVD, rouge machine connection inside, infected laptop from a road warrior, unsecured wireless, fragmented files in unscannable protocols, etc. etc.. Unless you have blocked all of these other vectors, you still need virus protection on the client.

However, having virus protection at the gateway offers a significant extra layer of protection, and it will always update faster and be more stable than desktop protection. Additionally, it can recognize *outbound* virus payloads, even if an internal machine gets compromised and it's antivirus gets shut down, so that you can identify and rectify such a machine without causing infections to other outside agencies.

Some spyware can be stopped at the gateway also, but not all. It morphs so much and is so difficult to identify, you should still have protection at the desktop and do regular sweeps. However gateway spyware protection will help spot the activity of actually network active applications and point you in the right direction for your remediation.

-Russ.

Right now they're selling "bundle priced" FG60's with all subscriptions except voice tech support for about what the hardware alone cost 4 months ago. So for less than $1000 USD you get the 5 interface unit with AV, IPS, Greyware, SPAM, Web Category filtering, VPN, and email tech support for 1 year.

They make their own definitions in house -- consider: their problem is very simple as far as AV goes... recognize it, drop it. A desktop maker has to recognize it, clean it for 98/NT/Me/2k/XP/2k3, run correctly in their TSR (full of low level OS hooks) on all those operating systems, post their definitions in a superdat for download via liveupdate or whatever... FG updates can be pulled once an hour, can be pushed out in an emergency, and are very tiny and simple. FG is usually first on the ground with a new signature because their development cycle is shorter and their distribution is faster.

No, the Firewall cannot scan workstations. However it scans all traffic coming through it from the workstations, and with IPS enabled, can in fact recognize the activity of an infected workstation even if it gets infected by a virus not covered by existing definitions, and of course also if it has been compromised by a known virus.

You can also buy the FortiClient, which is like $15 a seat in quantity 1 and a lot less for more. It's intended to be a software IPSec VPN client for road warriors, but it also uses the same IPS and AV engine that the FortiGate does plus a software firewall, to protect and scan the workstation. So in effect you can get a very cheap firewall/AV solution for your clients using this method. I'm kind of a fan of using a separeate solution for the desktop and the firewall, and the FortiClient is not centrally managed, but it's an option if you're tight on budget and don't want to fork out for a Symantec Enterprise license or similar.

-Russ.

Russ,

Thanks so much for all the information. Very impressive technology.

Do you know if there is an additional subscription cost for the AV capability, and if so, what it is? Also, can the Fortigates AV engine scan and disinfect, say, a workstation HD (or USB flash drive) if needed? That would be very slick, if so. Where do they get their AV definitions from (another provider, such as Trend or Symantec)?

All in all, it sounds very close to what I'm looking for.

Thanks again,

Pat

Thanks!

Russ, Ok - you got me - we have put in the Fortiagte 100a. The support for SSL was the kicker. At this point it is set up in a simple transparent mode and we had the thought of waiting for 3.0 to do the "real" configuration. Any idea when this would be comming out?

3.0 is out in controlled release. It's not ready for production yet. The SSL, ironically is one of the worst implemented features in the release. But give it time, they'll sort it out and it will be great, I have every confidence in that.

I wouldn't be afraid to do more config in 2.8, the config *should* translate at upgrade time and most all of the 2.8 configuration is carried forward. They've just added new stuff.

I've been running 3.0 on my outside gateway for weeks. Build 143 was the first release candidate, it had a few minor issues mostly with my voip phone, and it dropped sessions once in a while. I ran build 152, the first controlled public release for while, it was pretty decent except for a logging bug. The current build 155 is pretty good, I'm making good use of the new bits in the web filtering and the overrides and it's prioritizing my traffic well. It's doing everything my NetScreen did just fine, and I like the new IPS granularity a lot also. Plus P2P and IM are now controlled on my lan. But SSL is still broken for now.

I'm sure we'll be waiting for MR2 or MR3 to go production. A sympathetic partner can get you 3.0 now, but you have to understand *there are still bugs* as it's not even in full release yet. I really do recommend waiting for critical production systems. Ask your vendor to keep you in the loop on how the releases are doing.

I made a 30 page document with explanations and screenshots of most of the new features in 3.0, for those that already know 2.8 very well. Email me if you want a hyperlink.

r u s s @ r u s s d o u c e t . c o m

-Russ.