Opinions on Fortinet?

bigstusexy

2[H]4U
Joined
Jan 28, 2002
Messages
3,194
Hello,

My boss is looking to possibly move to Fortinet, I've never heard of him, he says it will do firewall duties, VPN, Content filtering, Spam Filtering and gateway virus scanning. Although the unit we are looking at is 10k the updates for it would be less than the combined cost of updates for our current three devices.

He gave me what I'm calling ,the sales pitch book, and I'm going to look over it on the weekend and look around the web but I thought I'd ask here first.


Ever heard of them? What do you think? I'm not too fond of putting all those duties into one unit and I think our services provided by the Barracuda's and Firebox are awesome thus far.
 

StarTrek4U

Gawd
Joined
Jan 8, 2003
Messages
1,011
We just purchased a set of Fortinets this past summer. We're using some 111C's in an HA config for our main office, after talking with our sales rep about some of their experiences we don't use them for spam or av filtering on the gateway since that was going to give a pretty big performance hit. You can configure the AV to only inspect certain traffic, etc so you can limit what you're looking at. They've been pretty solid otherwise, the interface is a bit goofy and their support site is kinda odd as well but overall they do the job fine. I like the fact that you pay a set price and get all the features, use em or don't. The a-la-carte pricing by other vendors just irritates me...

If I had to give them a grade... 7/10
 
Joined
Feb 19, 2004
Messages
3,861
with e have a bunch of clients that use them. they're great firewall/VPN appliances. the av/web scanning is mediocre at best IMO. also, your barracuda is going to a much better job at spam filtering that the fortigate. make sure you get a unit to demo before committing.
Posted via [H] Mobile Device
 

joblo37pam

2[H]4U
Joined
Jun 28, 2002
Messages
2,136
I've worked with some on a limited basis for some customers. They seem to have a lot of features, butI'm not a big fan of the interface. Seemed clunky to me. That might get better the more you use it, though.

I do have one customer that had/has a lot of problems with theirs. It's been replaced a couple times already, and there are still some issues and the one they have now needs to be rebooted once in a while to maintain connectivity. The line it is connected to has some issues, though, so it's hard to say how much of the problem is from the device.
 
Joined
Oct 28, 2004
Messages
722
From my experience with them at where I work (A/V + Antispam) - they seem more geared towards office environments. I'll second the UI being clunky - the CLI is pretty much worthless and I'm unimpressed with the VDOM functionality. They have a ton of documentation if you're looking to read up but we haven't found any docs that has examples describing our production network architecture. It'll always be inside/outside office type network examples if that is what you are looking to do with it.
 

bigstusexy

2[H]4U
Joined
Jan 28, 2002
Messages
3,194
Thanks for all the opinions, keep them coming. I haven't even gotten through the sales pitch from the company but I read a few pages. I might take up your offer on docs hokatichenci.

We aren't a office persey we are a school district. Our setup is basically Hub and spoke really (I've also hear starbust) Where all the other school connect back to one/district office then on out the internet. Nothing fancy so far besides that it comes in through one OptEman connection and out through another but they are physically separated and routed by us. I've heard that some do it differently and have their connection to ICN hang off their network and ATT does all the routing.

The only issue I see now is that we have about double the machines we use to have and we are way above capacity for our 410 web filter and the updates for the fortinet would be cheaper than the three appliance we hope to replace.

Quick question: I'm sure I will find this out in reading but does anyone know if the web filter supports user level filtering? I don't even know yet if it supports inline or proxy based filtering. Currently we have the barracuda set as an inline filter and it knows our AD groups and gives or denies rights based on their group membership. I need to find out if we can do that in fortinet or will we have to think of a different solution
 

StarTrek4U

Gawd
Joined
Jan 8, 2003
Messages
1,011
Quick question: I'm sure I will find this out in reading but does anyone know if the web filter supports user level filtering? I don't even know yet if it supports inline or proxy based filtering. Currently we have the barracuda set as an inline filter and it knows our AD groups and gives or denies rights based on their group membership. I need to find out if we can do that in fortinet or will we have to think of a different solution

The Fortigates do support user-level filtering and AD integration using something called FSAE (I forget what it stands for). Basically a client is installed on your DC and then the fortigate talkes back to it and allows/disallows browsing based on profiles you setup. Our company is pretty basic, we have two profiles: Restricted Web Browsers and Unrestricted Web Browsers, each user is in one of these groups in AD, which corresponds to a profile on the Fortigate, so when a user goes to browse it filters them based on the group. We've had an instance or two where for some reason it will just stop working and then all internet access will go down, but otherwise it works.
 
Joined
Feb 19, 2004
Messages
3,861
If money is tight you might consider untangle. They have a discounted package for schools and you can supply your own hardware for the filter so you can size it accordingly.
 
Last edited:
Joined
Mar 15, 2002
Messages
782
We run several of them at work with great success. A close friend of mine is a consultant that has installed just over 150 of them at many locations with great success too. The VPN function both IPSEC and SSL VPN is very solid. We use the LDAP integration to authenticate SSL VPN users via Active Directory. Makes things pretty easy to manage.

On our 110C we have two Exchange servers behind it with a total of about 300 mailboxes and I do AV and SPAM filtering from the Fortigate with no performance issues at all. The AV scanning is done via the ASIC chip which means the main CPU isn't doing the AV scanning which relieves the CPU from having to do that. Basically don't go by what someone tells you about this and that on performance hits; you have to test it out for yourself inside your environment to get the answer.

I find the interface to be just fine. The CLI is just fine too for doing some of the more advanced tasks that may not be in the GUI (which is very rare). The web filtering does support user level and it can be integrated into AD. The level of filtering I do is pretty basic so I don't tax that part of the system that much.

So basically we really like them and we use most the features. We never reboot them unless we are performing a firmware update. Solid boxes. I think Pizza Hut has them in all their stores now and corporate offices to link everything together. Also all traffic going into the South Korean ISP goes through Fortigates. Fortigate offers the small 30b model all the way up to carrier grade blade chassis systems for ISPs and huge enterprise environments. Each model runs the exact same OS.

Those are my opinons and experiences. Good luck with your project.
 
Last edited:
Top