IDS mailing list archives
Re: Fortinet's fortigate 100 devices
From: Bob Walder <bwalder () spamcop net>
Date: Mon, 02 Jan 2006 21:34:15 +0100
We started testing UTM devices at the end of last year and Fortinet and ISS were the first two to complete testing. The reports are available on our Web site (www.nss.co.uk) As you will see, the performance drops off considerably the more functions you enable, so careful capacity planning is required We found both devices to be capable for the target market - just don't expect the wire-speed Gigabit performance you get from dedicated in-line IPS devices.... :o) AV and Anti Spam are real performance hogs (no matter which vendor you look at)! If you don't need firewall, VPN and IPS then you could also look at SCA devices such as Panda GateDefender (also tested) Bob Walder The NSS Group On 30/12/05 18:03, "Andrew Plato" <andrew.plato () anitian com> wrote:
DISCLAIMER: I am a reseller of Fortinet. Hi Jimmy, I sell and support a lot of Fortinets. They're a good product. They aren't perfect, but as a UTM device, they're definitely one of the best on the market. In terms of performance, you'll want to buy way more Fortinet then you think you need. As a basic firewall, the performance is great, but if you start turning on services (like IPS and AV) the performance plummets. If you think a 100 is right for your environment, you might want to consider a 200 or 300 if you plan to turn on the other services. The HA on Fortinet is about as easy as it gets. I typically deploy them as an active-active cluster. The latency when one goes down and the other picking up is short. Just a few seconds. Having deployed hundreds of Fortinets, HA has never been a problem. There are some gotchas with Fortinet. The IPS is frustratingly obscure. While its not bad at detecting things, the GUI makes it painstakingly slow to configure. I've gotten good at doing IPS work in the CLI using a text script I built. Logging in the Fortinet is not so hot either. Try to budget for a Fortilog/Fortianalyzer. Its extra money, but its worth it in the long run. Unless you really like writing syslog parsers. Also, I find the way firewall policies are created to be a little laborious. Fortinet support is fair. My experience is that it can take days to get answers. However, they are very nice to partners. If you can find a knowledgeable Fortinet reseller/partner they may be more help than Fortinet. They can also get you past first line support to engineering support. As far as competing products - you'll want to look at SecureComputing's Sidewinder and 3Com's TippingPoint X505. WatchGuard and Sonicwall are trailers in the UTM space. WatchGuard has a good GUI. The IPS and AV are okay. I would avoid Cisco's and Symantec's offerings in the UTM space. They aren't very impressive and generally cost more. Also, a lot of Fortinet's competitors like to bring up Fortinet's issue with TrendMicro and their violation of the GPL license. Both of these issues have been resolved and are no longer an issue. Fortinet re-engineered their AV engine, so it does not violate the Trend patent. And they have published their code changes and thus complied with the GPL license. So, don't let some sale-hungry vendor rep mislead you with those issues. Good luck. _____________________________________ Andrew Plato, CISSP President/Principal Consultant ANITIAN ENTERPRISE SECURITY Your Expert Partner for Security & Networking 3800 SW Cedar Hills Blvd, Suite 280 Beaverton, OR 97005 503-644-5656 Office 503-214-8069 Fax 503-201-0821 Mobile www.anitian.com _____________________________________ -----Original Message----- From: Jimmy Stewpot [mailto:squid () oranged to] Sent: Wednesday, December 28, 2005 7:21 AM To: focus-ids () securityfocus com Subject: Fortinet's fortigate 100 devices Hello, I am currently in the process of evaluating a security appliance by the company Fortinet. The product in specifics is the Fortigate 100. So far the product has been looking very impressive. However I have some questions that I am trying to find answers to. - Has anyone got any advice regarding the network performance of these devices in real world environments. During my testing I noticed they are using a Realtek 8139 based NIC. I personally have never had any issues with Realtek 8139 cards in environments ranging from slow to medium/high bandwidth utilization (40-50Mbps) however any feedback about how the Realtek network cards perform in the Fortigate would be greatly appreciated. - I noticed that the system has got HA functionality. It appears to be very similar to the way in which VRRP works. However it does not state that its actually VRRP (licensing issues perhaps). Does anyone have any feedback as to how good the fail over/fail back/ redundancy issues are on these devices? - Any overall opinions or feedback from anyone that has used the device in any production environments would be fantastic. Also if anyone knows of any competing products I would like be very interested to know about them. - I am also interested to know how everyones experiences are in regards to Fortinet support? So far my own experience in using the devices has been exceptional. However as we are looking to put them into some more intensive solutions I need to find out as much information as I can so that we can prepare or look at bigger/faster Fortinet boxes or alternatives. Regards, Jimmy. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Fortinet's fortigate 100 devices Louis Wang (Jan 02)
- <Possible follow-ups>
- Re: Fortinet's fortigate 100 devices Joel M Snyder (Jan 02)
- RE: Fortinet's fortigate 100 devices Jonathan Lebowitsch (Jan 06)
- Re: Fortinet's fortigate 100 devices hank . schupp (Jan 02)
- RE: Fortinet's fortigate 100 devices Andrew Plato (Jan 02)
- Re: Fortinet's fortigate 100 devices Bob Walder (Jan 05)