Small office firewall/vpn/security appliance

You may want to check out Watchguard and Snapgear too.

Duane :)

advise/experience

I work rather heavily with Fortigates, deploying them in front of small offices, branch offices, head offices, very large enterprises, universities, school boards, hospitals.

Their protection is very good -- they can reassemble and scan through data in hardware enabling them to Antivirus and IPS at very good speed while still using comparatively simple (ie reliable) hardware. A 60 for example has Internal, WAN1, WAN2, DMZ interfaces, but no moving parts. The only failures I've seen in thousands of units is the odd dead port, which occured in the field most likely via user error. And in that same box it does full firewall, software or site-to-site VPN, 1300 Intrusion Protections, web/mail/ftp AntiVirus, SPAM filtering, Content filtering, and web Category blocking (ie, stop p*rn/gambling/etc).

They don't upgrade -- but neither do most any other ones in the roundup I bet, unless they artificially limit themselves in the first place and "upgrade" by removing the limit, or by putting in an expansion card to make up for hardware deficiencies to start with. Do you really need to upgrade from a 70Mbps firewall? All Fortigates come with no user limits, no per-user fees, on anything except for software VPN clients which are very cheap. They run like champs right up to their limits. I've got big Fortigate boxes doing IPS at Gig speeds and AV at hundreds of megs. The 60 has complete internal (or even external) logging and packet sniffing and can even be set up as an HA pair.

The 60 has been around for 2 years, and it's been through the last 2 major code updates (2.5, 2.8) and will soon run the 3.0 code which will add even more neat tricks to it -- unfortunately I can't tell you what under my NDA Beta agreement, but I have live Beta code that I've seen, and it's very cool. The thing is the hardware is so flexible they can add new capabilities to it readily... the 60 today does all sorts of neat things that it didn't do when I first saw it, due to new code using the flexible ASIC chips on board.

I've done lots of NetScreen too, they're very solid boxes indeed. But they got away from their bread-and-butter ASIC design with the 5GT -- the AV and DI components are implemented in software, so the performance of those bits can't touch the FG.

I've put in lots of Fortigates and I work with them every day along with lots of NetScreen and a handfull of other things. Let me tell you, I think they're awesome. The fact that they're also a great deal to me is astounding.

-Russ.

Ok - One will informed vote for the Fortigate! Thanks Russ! Do you have any concern about the company or the legal stuff going on?

Russ, One more question if you don't mind... I was not aware that the 5GT didn't use ASIC, but where do you see the performance hit? The 5GT is rated at 75Mbps, about the same as the Fortigate

1. So either it doesn't keep up with that speed in the real world or it can't process as many packet inspections. Or, do the rated speed not include DI/AV? Where does the user or server notice?

Also, do these firewalls do CIDR as well as support the "standard" VPN client, such as is found on devices by default (even my PDA has a VPN client)?

Thanks again for your excellent response.

No, my visibility into the internals seems ok, the signals all look good. That leagal stuff at worst will end up as a cash settlement and a license fee -- the code bits are probably already re-written.

-Russ.

The 5GT has ASIC for firewall and VPN, just like the 5XT and the 5XP. But AV and DI are done in software. That rated througput is for firewall only. Try to get some solid numbers for DI and AV, I couldn't, and haven't had the opportunity to test one that hard.

I can tell you that the 60 would run about 50Mbps IPS and up to around 8 to

10Mbps AV, give or take depending on the traffic and the configuration. And I mean that very literally, it varies a lot based on those two things.

The FG does not support CIDR. If that's a show-stopper, the FG is out.

Standard VPN clients should be fine, if they're standard. The windows client for example, is a pain in the butt and rarely works reliably on anything for very long in my experience -- which I admit, is limited. We usually go with a proper IPSec client. But, if it's a standards based client, it should be just fine. The unit doesn't care what it talks to, as long as it talks in a standard way.

-Russ.

Hey there, sorry I hadn't heard the term CIDR and my quick google lead me astray. Subnets can be any arbitrary size on the FG or the NS, no problem. In fact you can put them in either 255.255.255.128 format or /25 format, they're fully interchangable in the same dialogue boxes in most cases. But certainly you aren't limited to just /8 /16 /24 subnets.

Sorry for the incorrect answer there!

BTW, the 60 also understands VLANs if that helps with your network design.

-Russ.

Based on the note from Russ (below) the speed of the firewall with all the options turned on is an issue. We would like to have some protection turned on internaly (to the servers in the DMZ) as well as on the external side in case people pick up viruses and bring them in (we have a lot of people with laptops). We aslo don't want the network running at a crawl!

Has anyone done speed tests on the routers with the options on? Or, are there reviews or information from the suppliers?

The Data point from Russ is; the Fortigate 60 would run about 50Mbps IPS and up to around 8 to 10Mbps AV, give or take depending on the traffic and the configuration.

A FG60 is a great box for most smallish offices running DSL, T1, or something up to maybe around 10Mbps.

It's not sufficient for using in front of internal servers from which you expect 100Mbps LAN-speed performance.

If your servers are things like web servers with a moderately low demand, you're probobably fine with using it with IPS enabled and getting in that

50Mpbs range. Similar for mail servers unless they're a well-used Exchange or Notes type application server, but a sendmail type box for strictly email should be fine. I would think you could probably enable virus scan on incoming email only in that config (mail server in the DMZ) but I wouldn't push your luck much farther than that, and I would tune it as much as possible and keep an eye on the system resources.

The numbers I'm giving to you come from Fortigate's internal testing and my own field experience. They really, truly do vary a lot based on your implementation.

Why don't you tell me a big more about that... what kind of servers are going where, how busy they are, what your main Internet feed is, and what protections you want where?

I have done implementations of Fortigates in front of internal servers but they were significantly bigger boxes than a FG60.

-Russ.

and though bandwidth calculations are good, routers are measured by the number of packets they can pass per second (pps)... might be good when shopping around as it's the only REAL measurement off of which to base performance as far as routers (firewalls, vpn appliances, whatever) and guage when pricing and comparing.

$0.02.

Ron!

Ok, The servers in the DMZ provide Mail, web, wiki, ftp, minor DBMS and version control. The FTP and version control can demand high bandwidth - but these are exactly the places I would like to have an extra check for, so we don't get a virus checked in or infecting the servers from an infected laptop. The external connection is 2 up/ 4 down business cable (he said with trepidation)

So, (he said cringing) how far up the scale do you have to go to get AV running at better than, say, 50Mbps?

The FG60 comes with AV, IPS, SPAM, VPN, all unlimited users, $800 ish in US dollars, no hidden charges except software VPN clients if you want to buy them. So about equivalent in general I'd say.

It most definately does NOT crap out when you enable AV. I run a FG50A in front of lots of places with 3Mbps -level feeds with *everything* turned on, no problem. The FG60 is faster yet and features 4 physical zones and many more vlan zones if you want. Fortigate is hardly "going backwards" because they lost a court case, it happens all the time in big business. They're a well funded fully private company, doing business all around the world, this US judgement hardly puts them in trouble. They're rewriting the code in question and will continue to ship product, no noticable effects are noticed on this quarter results, existing customers can still use and get support on the products... etc...

But the Trend guys are surely making it out like the world has ended for Fortinet.... lol... it hasn't.

-Russ.

I downloaded the manual and it wasn't really clear if each of the physical internal lan ports could be individualy configured with nat on/off, policies, etc. It probably does but all the examples show all the lan ports together and on the "interface" screen shot it only shows "internal". I think on all the others firewalls allow each port to be set up as a LAN (Like vlan). Also the routing options didn't seem as extensive (as, say the Juniper or Checkpoint), but I didn't read with care.

Your information is incorrect. You do not need a software firewall with a hardware appliance which definitely monitors both inbound & outbound traffic.

I believe you are confusing the Windows XP firewall, which is software and does not monitor outbound traffic, with a hardware appliance.

I can't advise you on hardware firewall, but you also need a software "firewall" for the out direction. Why not try AppWall, a very good shareware app: electronicscomputing.com

Kelly

No, I beg to differ, a hardware filewall cannot monitor network traffic on a /per-process/ basis

I have considered "Astaro"

which has both a hardware and software version - it is not free but is free for home use . But all of these run on the network side, not on the client box as AppWall seems to do. Astaro is a proxy wall instead of packet inspection which may make it slower, so many choices, so little time!

Individual policies can be configured with nat on/off. Those could be between any interface/vlan/zone and any other interface/vlan/zone as required. Mulitple vlans being possible on any interface, and mulitple interfaces being possible in each zone. So, pretty darn flexible, in fact, I can't concieve of a way to make it *more* flexible since you can use a DIP to assign which IP it NATS from also in each of those cases.

Routing options are reasonable but not exhaustive. You can do static routes of course, and also source routes based on IP, port, or protocol. It can do RIP but OSPF is a rudimentary implementation only. But static and source routes with weights meet most people's requirements for routing I find, rarely does anyone count on a firewall device to deal with heavy duty dynamic routing.

-Russ.