Replace Fortigate 311B cluster with?

S

snottz

n00b
Joined
Apr 13, 2012
Messages
21
Hi,

in ~9 months our support for our 2x 2x Fortigate 311B cluster will end.
We use IPS a lot but that (active-active) cluster doesn´t offer any real possibility to upgrade the devices themselves. So, what would you suggest?

needs:
- more IPS throughput which will easily last for the next years we have ~300000 sessions (peak) for now, we started with 80000 4 years ago.
- enough 10GbE interfaces
- 5 year support contract with NBD
- high availability that is working (cluster, non stop services while doing firmware upgrades)


What would you suggest? What do you use?
 
i'll suggest Palo Alto Networks..
we run a pair in HA mode at the colo and really like them..
 
Palo Alto and Checkpoint are the current market leaders according to Gartner.

We are looking at the same thing next year. So far we have been quoted a Cisco ASA solution with a separate IPS since we have had issues with Juniper's IPS that is built into the firewall.
 
I'm guessing you're using content clustering? IMNSHO this was a poor decision to buy smaller boxes than you should have to begin with. A/A firewalls are 99% of the time the wrong answer. They are for very niche cases and require the basic understanding that A/A is not HA nor is it intended to be. I'd suggest sticking with what you know and continue with Fortinet but this time size correctly and use active/passive. This will allow uninterrupted upgrades as well as HA. The smallest box I'm aware of with 10GbE interfaces in the 800C which is in the neighborhood of 10X more powerful than the 310b series.

If you do move away from Fortinet go Check Point. Regardless of platform I still highly suggest that you avoid A/A.
 
Nicklebon said:
I'm guessing you're using content clustering? IMNSHO this was a poor decision to buy smaller boxes than you should have to begin with. A/A firewalls are 99% of the time the wrong answer. They are for very niche cases and require the basic understanding that A/A is not HA nor is it intended to be. I'd suggest sticking with what you know and continue with Fortinet but this time size correctly and use active/passive. This will allow uninterrupted upgrades as well as HA. The smallest box I'm aware of with 10GbE interfaces in the 800C which is in the neighborhood of 10X more powerful than the 310b series.

If you do move away from Fortinet go Check Point. Regardless of platform I still highly suggest that you avoid A/A.
Click to expand...

Fortinet partner here. I agree with Nicklebon.

I have experience with Palo Alto but fortinet is what we roll with. I would stick with them personally.
 
Well, I once started with active-passice. The reason for "active-active" is for share the load for IPS to both units. Usually I do firmware upgrades when load is low. But I have to agree with you, in high load situation I´d probably get trouble when one of the units breaks away.

So 800C would be the next step for me in Fortinet´s universe. When I look at that one and compare it to a Palo Alto with same size/power, what about pricing? (I never looked at PA, but aren´t those boxes way more expensive?)
 
Palo is VERY proud of their hardware. Fortinet prides themselves on being the cheapest...which is annoying considering their product is actually really good as well. I always feel they sell themselves short,
 
I agree with these guys, stick with the Fortinet product line. I have many, many 800C units in production and they are quite strong compared to the older hardware. In one instance, I replaced a pair of 620b that were A/A and CPU was at 95-100% constantly, and stayed in conserve mode. I replaced them with a HA A/P pair of 800C and the primary rarely breaks 30% CPU load with newer firmware.

My rule of thumb for Fortigate, look at the AV throughput numbers for a more close representation of what throughput the box can handle with most UTM features enabled.
 
I will also add that if you really don't need 10GbE take a hard look at the new 500D. I have not personally tested it but have been told by someone who has, that I trust implicitly, that it will outperform the 800C with real world testing at a much lower cost.
 
I am deploying a 500d Sunday. I will let you know how it is. I have been pushing a lot of 300ds lately though
 
Thanks all, does anyone know whether Fortigte will release a kind of 800D or something like that in 2015? Does a kind of roadmap for new hardware exist?
 
Soldier101 said:
I am deploying a 500d Sunday. I will let you know how it is. I have been pushing a lot of 300ds lately though
Click to expand...

How do you like those? I think for our company's Internet connection, the 300D is way more than we need, but I might get the 500D anyway simply because I don't trust manufacturer specs.

What is the Mb bandwidth and # of users for your 300D sites? Any issues?
 
Valnar said:
How do you like those? I think for our company's Internet connection, the 300D is way more than we need, but I might get the 500D anyway simply because I don't trust manufacturer specs.

What is the Mb bandwidth and # of users for your 300D sites? Any issues?
Click to expand...



The 300d can handle every bit of the 1.2 gbps av throughput it advertises.

So chances are the 300d is fine. We have been deploying them in the datacenter of a major international corp and it is taking it fine.

The 500d is going in at a major university. Still probably slightly overkill for what they do as well haha. But they bought it and wanted us to install it for them.

The devices handle tons of bandwidth without layer 7. If you are worried about throughput while running layer 7 just use the av throughput specs. They have made pretty big strides on av scanning so those advertised numbers may be slightly low.
 
snottz said:
Thanks all, does anyone know whether Fortigte will release a kind of 800D or something like that in 2015? Does a kind of roadmap for new hardware exist?
Click to expand...

I havent seen much of a hardware roadmap, but I can tell you that the 800C will handle 1Gb w/ Full IPS, App control, web filter, and traffic shaping enabled with about 35-40% load in my experience :)
 
green91 said:
I havent seen much of a hardware roadmap, but I can tell you that the 800C will handle 1Gb w/ Full IPS, App control, web filter, and traffic shaping enabled with about 35-40% load in my experience :)
Click to expand...


So basically you can trust Fortigate's products compared to ZyXel when reporting throughput? Good to know. One thing that really bothers me with lower-end business gear.
 
Liger88 said:
So basically you can trust Fortigate's products compared to ZyXel when reporting throughput? Good to know. One thing that really bothers me with lower-end business gear.
Click to expand...

In my experience, yes. If it isn't meeting it's reported specs, then chances are you have your policy set configured in a very inefficient manner.


My 60D handles my 100 meg connection with surprised ease with layer 7 enabled (and it is only advertised to be able to handle 30-50 meg throughput with AV on.) and I regularly peg it out with bit torrent and more.
 
ianshot said:
Palo Alto and Checkpoint are the current market leaders according to Gartner.

We are looking at the same thing next year. So far we have been quoted a Cisco ASA solution with a separate IPS since we have had issues with Juniper's IPS that is built into the firewall.
Click to expand...

I would argue this, since SourceFire/Cisco is a market leader by far. Just check the NSS labs for testing the products and you will see that SF is the winner for last 4 years.

I would suggest to you to check the SF solution.
 
Last edited:
You must log in or register to reply here.
Back
Top