IDS mailing list archives
Re: Fortinet's fortigate 100 devices
From: hank.schupp () mantech-ist com
Date: 29 Dec 2005 17:40:44 -0000
Jimmy - We ran an internal bake-off between several of the All-in-one appliances last year including the FortiGate 3000-series appliance. In the end, for us, the FortiGate appliance took the lead in almost every category. Throughput, ease-of-use, configuration, and HA/LB. The HA was tested on both the copper and fiber interfaces and the units failed-over consistently when such conditions were created. The HA process maintains session data across the units. We pulled cables in the middle of large downloads and the units not only failed over but passed on the session data so that the download continued with only a momentary (it was visible) hitch. FTP sessions were rock solid but occasionally an HTTP download would hiccup during the FO. There were some weaknesses in the Management Interface as far as AV configuration and reporting but from recent reviews I hear that has improved dramatically. FortiGate had some licensing issues with the AV portion of the product last year and I have not heard how they resolved all that but since they are still selling it with AV I gather it has been. Support-wise I was impressed. Even though they knew we were doing this as an eval for a customer they were always quick to respond to our questions and issues. Enough so, that when we experienced some problems with the HA testing they sent an engineer to our lab to assist in the troubleshooting. Problem was a bios mis-match. Unable to fix it onsite - they shipped overnight another PAIR of units they knew to be compatible. This was support pre-sales! In the end our customer did purchase several FortiGate 3000 appliances and has been extrememly pleased with the boxes so far. (some log-forwarding to a SIM has made them even happier). Caveat: In the end, all three vendors (FortiGate, Symantec, and ISS) being evaluated sent engineers to assist in the initial configuration or troubleshooting of their products. This was more to do with giving them all an equal chance to show their product at what they conceived to be "tuned" than with any actual problems. Note2: The FortiGate included an option for a "Fail-By" capability (hardware option) that could bypass the unit(s) if they started failing to inspect traffic (due to load or just plain failure). This is a highly controversial option since you likely would NOT want traffic to go uninspected. However, there are conditions where the RISK considerations say to maintain the link no matter what. Hmmm... Not sure if that should ever be true ... but the option is there none-the-less. I have the eval docs on file (not releasable) and can look up any specific areas you may have questions on. hps ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Fortinet's fortigate 100 devices Louis Wang (Jan 02)
- <Possible follow-ups>
- Re: Fortinet's fortigate 100 devices Joel M Snyder (Jan 02)
- RE: Fortinet's fortigate 100 devices Jonathan Lebowitsch (Jan 06)
- Re: Fortinet's fortigate 100 devices hank . schupp (Jan 02)
- RE: Fortinet's fortigate 100 devices Andrew Plato (Jan 02)
- Re: Fortinet's fortigate 100 devices Bob Walder (Jan 05)