Re: Fortinet unified threat management evaluation feedback needed

[jkaftan <jkaftan () UTICA EDU>]

We just went through the process of buying two Fortigate 1000As for our edge
network.  We are going to set them up as separate networks, student and
admin.  We will also have two ISPs (student and admin).  Each box will be
configured as two virtual boxes student and admin.  During production the
admin side will route to one physical Fortigate and the students to the
other.  In each case half of the Firewall will be a passive standby for the
other.  If a firewall or edge router or ISP goes down traffic will fail-over
to the other side.

We are going to have two 30 Mb internet connections (admin and student) and
the 1000A is rated at 2 Gb throughput (firewall only).

We like what we've been told regarding the Fortigate and are thinking these
two boxes are way overkill for our application.  We'll see.

We will make sure we schedule update during the night.

We are planning on running AV and IPS as well as Firewall.  I'll keep you
posted.



-----Original Message-----
From: Jere Retzer [mailto:retzerj () OHSU EDU]
Sent: Tuesday, February 27, 2007 6:41 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet unified threat management evaluation
feedback needed

You might also consider Snort as an open source solution. Doesn't include
virus scanning but is billed these days as an intrusion prevention as well
as detection system. Of course, putting anything inline can impact
performance

> > > cjf () CALFRYE COM 2/27/2007 2:18 PM >>>
Jere Retzer wrote:
> One caution: be sure
> to evaluate carefully your throughput needs as IPS and virus scanning
> seem to drop throughput by around 90%. I also wonder what are the
> lantency and other impacts on VOIP and h.323.
>
> > > > Christian.Heroux () ETSMTL CA 2/27/2007 9:22 AM >>>
> I am worry to put all my eggs in one basket. I know
> they use ASIC instead of CPU but I would like to see all eight
> functions activated (firewall, antivirus, anti-spam, IPS, IDS,
> traffic shaping, VPN)

We've seen that just stacking individual devices inline can raise
latency to unacceptable levels. I have no experience with the Fortigate,
but you're right to be worried.

Have them send you a largish unit for evaluation -- you'll never know
how it works with your traffic until you try it out. The times I've done
this, I often haven't changed vendors, but frequently have discovered we
needed a more capable box than we evaluated (wishful thinking, every time).

--
Regards,
-- Cal Frye, Network Administrator, Oberlin College

   www.calfrye.com,  www.pitalabs.com


"Even if you win the rat race, you're still a rat."