1. Home
  2. Networking Firewalls
  3. Fortigate Experiance / Review

Fortigate Experiance / Review

We purchased a Fortigate 100a firewall about 2 months ago, partly based on the comments from this group as well as the excellent reviews. I thought I would let you know how it is going.

Our environment is a single LAN, we have a few servers and need good remote access. Some the reasons we picked the Fortigate are the speed - as we want to have some AV checking "on the inside" due to the population of laptops. A VLAN setup was also recommended to us so we have each server in its own vlan. Of course our primary concern is security, and the Fortigate has a good reputation. We also purchased the VPN clinent/firewall so we would have both ends from Fortigate. We don't have a dedicated sysadmin but our group is quite technical (including a programmer that has written router code).

The unit came out of the box working and has had no serious hardware or software problems. We have not had any intrusions but I really have no way to evaluate its capability to stop them. The box is feature-rich and supports mostly every networking protocol and option we can think of, capability has not been a problem. For a fast unit with VLAN this fortigate is a good value.

What has been a problem is the complexity and documentation. This is a box they expect someone to become an expert on and understand the concepts, options and there interrelationships. The documentation requires multiple readings. We have yet to get the VPN working, we are on our 3rd try - getting VPN up requires configuration of options all over, there is a "step by step" but it seems somewhat out of date. I should emphasize we are talking about smart techies trying to do this.

There are a lot of AV options for specific attacks, most are just set to record the event. As we don't study virus signatures in detail, we don't have a good way to know what we should turn on, we hope the defaults are ok.

We can't give good marks to the "Forticlient" VPN and Firewall. Every machine it has been installed on has had stability problems. There is an option to remove the firewall and just use VPN, but this requires modifying the install with special software we don't have and have never used. We are going to try using the MS VPN client.

Bottom line is this may be a good box for a pro, but it has a high overhead for the small network user. What we don't have is a good way to compare this with the other firewalls, perhaps they are all complex. I suspect that once everything is set up it will function well.

Reply to
CCMiami
Loading thread data ...

I teach Fortigate courses. I feel the box is a very complex, but very learnable box. Feedback from my courses is always extremely good. Perhaps a crash course from a local qualified resource would help you out.

I don't actually read the Fortinet documents very often though. :-)

You are probably talking about IPS, AV doesn't have such options. You need to take a pro-active approach with this (and any IPS) to look in the logs, refer back to the articles on Fortinet's website, and decide what action to take with each item. The default is fairly permissive, because if it wasn't, it would break all sorts of your production traffic when you first drop it in. But it may therefore also let through some stuff you should care about. However, it's logged. So, look at the logs. Big hint: Change the column view in the log to reveal the "status" field. That will help you understand what's happening.

The Forticlient is really quite excellent compared to most any other IPSec client install I've tried. You must must must turn off any other firewall FIRST if you want to use the forticlient firewall. Same for AV. And these components work really well, far better than any of the Symantec bloatware or most of the other products I've ever looked at.

That said, all you have to do if you want to stick with the windows firewall and your favorite centrally managed enterprise AV software, is to do a custom install instead of a standard install when you put the forticlient on. Deselect the components you don't want and just leave the VPN component. It's really very simple to do -- I assume you're trying to build a custom no-touch install and that's how you've made it difficult. That should be garden variety msi work but I've never bothered, it's only about 10 or 15 simple clicks for the custom install anyway. Far simpler than installing MSoffice or something like that. Just doing a vpn client install without the other bits has been very stable everywhere I've tried it so far, but YMMV on that one of course.

As for setting up the software VPN, again, the published docs may not be all that great, but I can alway set up nicely featured software VPNs with exported profiles in about an hour to meet the client's needs, no problem. Once you learn it that is. :-)

I really do feel that they're great boxes but indeed are too complex for the average IT guy to learn and set up well on their own in isolation. We very, very often sell a day of time to do the initial deployment and give a crash course on them to the local resourses, and they usually do well from there. Often they'll subsequently sign up for one of my courses, but not always. But those guys usually end up being loyal Fortigate users as they learn enough to really leverage the power of the box. A year later, they can't imagine how they got along without them.

-Russ.

Reply to
Somebody.

Thanks Russ,

You don't happen to be or know of a resource in North Virginia, do you? The cost of this box in human terms is getting out of hand, the idea of needing to go to courses and such is disapointing.

As for IPS, Looking at the logs to find out I HAVE BEEN attacked seems like a bad solution. How often do you do this? Again, the human cost is high.

We spent about an hour with support yesterday to get the VPN working, even he semed to have trouble - note that this is just setting up normal dial-up users. Frankly, I still don't understand it, the policies seem to be "backwards".

As for the VPN client, we have not tried custom installs, one of my guys just installed the VPN part and his machine will then not shut down. Others have the full install and it is still troublesome. We mostly have IBM laptops, perhaps it is a specific conflict.

-CC

Reply to
CCMiami

We would like to find a Fortigate consultant to review our setup and help get all the features working. We are in North Virginia / DC Metro. You may contact us at user: cc06temp domain: enterprisecomponent.com

Reply to
CCMiami

No, not offhand. Our US offices are Tampa and Atlanta. I'll check and see what I can find though.

Well, you could set everything to block/drop and then see what doesn't work. If you traffic is very plain and you're exposing no servers, you'll get away with this just fine I imagine.

Yes, the policy does look backwards sometimes. I agree. :-)

Could be, lord knows I've fought hard with IBM laptops in a former life as an administrator. Software problems are about my least favorite issue to work on.

-Russ.

Reply to
Somebody.

Check your mail...

-Russ.

Reply to
Somebody.

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.