Re: Fortinet's fortigate 100 devices

[hank.schupp () mantech-ist com]

Jimmy - 

We ran an internal bake-off between several of the All-in-one appliances last year including the FortiGate 3000-series 
appliance. In the end, for us, the FortiGate appliance took the lead in almost every category.  Throughput, 
ease-of-use, configuration, and HA/LB.  The HA was tested on both the copper and fiber interfaces and the units 
failed-over consistently when such conditions were created.  The HA process maintains session data across the units. We 
pulled cables in the middle of large downloads and the units not only failed over but passed on the session data so 
that the download continued with only a momentary (it was visible) hitch.  FTP sessions were rock solid but 
occasionally an HTTP download would hiccup during the FO.  

There were some weaknesses in the Management Interface as far as AV configuration and reporting but from recent reviews 
I hear that has improved dramatically.

FortiGate had some licensing issues with the AV portion of the product last year and I have not heard how they resolved 
all that but since they are still selling it with AV I gather it has been.

Support-wise I was impressed.  Even though they knew we were doing this as an eval for a customer they were always 
quick to respond to our questions and issues.  Enough so, that when we experienced some problems with the HA testing 
they sent an engineer to our lab to assist in the troubleshooting.  Problem was a bios mis-match.  Unable to fix it 
onsite - they shipped overnight another PAIR of units they knew to be compatible.  This was support pre-sales!  In the 
end our customer did purchase several FortiGate 3000 appliances and has been extrememly pleased with the boxes so far.  
(some log-forwarding to a SIM has made them even happier). 

Caveat:  In the end, all three vendors (FortiGate, Symantec, and ISS) being evaluated sent engineers to assist in the 
initial configuration or troubleshooting of their products.  This was more to do with giving them all an equal chance 
to show their product at what they conceived to be "tuned" than with any actual problems. 

Note2: The FortiGate included an option for a "Fail-By" capability (hardware option) that could bypass the unit(s) if 
they started failing to inspect traffic (due to load or just plain failure).  This is a highly controversial option 
since you likely would NOT want traffic to go uninspected.  However, there are conditions where the RISK considerations 
say to maintain the link no matter what.  Hmmm... Not sure if that should ever be true ... but the option is there 
none-the-less.

I have the eval docs on file (not releasable) and can look up any specific areas you may have questions on.  

hps 

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------