Educause Security Discussion mailing list archives

Re: Fortinet Firewalls

From: "Ness, Carl J" <carl-ness () UIOWA EDU>
Date: Thu, 23 Apr 2009 09:39:29 -0500

Beware of kitchen-sink devices. If you need a firewall, get a firewall, if you need IPS, get an IPS box. When you're 
talking enterprise-class, it really is better to stay away from vendors and solutions that claim to do more than one 
thing. Usually they do many things kinda-sorta well. I'd rather have more than one box that does one thing and does it 
really well. Soho or branch office, well that's where all-in-one's excel.
Just my .02
Carl

Carl J. Ness, M.S., CISSP
Senior Security Analyst
CIO Office, University of Iowa
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of 
Consolvo, Corbett D
Sent: Thursday, April 23, 2009 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls

We use ASAs, they have very good basic firewall performance (best I've seen) but do not have the intelligence that the 
pure-play firewalls have.  I have been interested in looking at Palo Alto firewalls but have not had a chance past a 
quick demo.
Thanks,
Corbett
Texas State University
________________________________
From: The EDUCAUSE Security Constituent Group Listserv [SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ramon Hermida 
[rhermida () UTPA EDU]
Sent: Thursday, April 23, 2009 9:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls
We are using Fortinet firewalls for several firewall purposes.  We run these in a clusters (we are using their 
mid-range blade solution) and active-active mode to do load-balancing.  We have been using IPS, A/V scanning, web 
filtering and some traffic shaping quite successfully for a couple of years now.  We have also used their IPSEC, and 
SSL VPN functionality without any issues.  We are actually quite impressed with the IPS functionality because it allows 
blocking not only by signature, but also by malicious behavior.  We are currently passing about 240 Mbps of bandwidth 
and what we like about the solution is that when our bandwidth needs increase, we just add additional blades to the 
cluster.  Last time I checked Cisco ASA could not handle IPS scanning for more than 100 Mbps of bandwidth.
Please contact me off-list if you wish further details as I don't feel comfortable disclosing further details of our 
network infrastructure in a public forum.
Regards
-RH
Ramon Hermida
Senior Network Security Analyst
University of Texas Pan American

________________________________
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pufahl, 
Jason
Sent: Thursday, April 23, 2009 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls

The University of Connecticut uses Fortinet firewalls at a variety of locations throughout campus.  Unfortunately, we 
deployed them at our Internet borders and they have never performed as advertised.  We have had no end of significant 
software issues related to A/V and IPS scanning and performance.  At our lower traffic volume sites the hardware 
performs adequately.  Our opinion is that Fortinet is not suited for an enterprise deployment, but that they fit well 
in a small office/small network scenario.
We are in the process of evaluating different vendors now with the intention of replacing the Internet facing  
firewalls before next fall.
Feel free to contact me off list if you would like additional information.
-Jason Pufahl
Team Lead, Network Security
University of Connecticut


From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kellogg, 
Brian D.
Sent: Thursday, April 23, 2009 8:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Fortinet Firewalls

We currently run an old Pix firewall and it's done the job well, but it's time to retire it.  We are looking at 
Fortinet and Cisco ASA at the moment and are quite interested in Fortinet due to the its price and capabilities at that 
price point.  Would anyone be willing to share their experience with Fortinet firewalls and their tech support?  We are 
most interested in their VPN, both user and site to site; SSL VPN; virus scanning; and IPS features.
Suggestions of other vendors that can provide the same features are welcome as well.


Thank you,

Brian Kellogg
Network Services Manager
St. Bonaventure University
716-375-4092

Current thread:

Fortinet Firewalls Kellogg, Brian D. (Apr 23)
- <Possible follow-ups>
- Fortinet Firewalls Kellogg, Brian D. (Apr 23)
- Re: Fortinet Firewalls Pufahl, Jason (Apr 23)
- Re: Fortinet Firewalls Ramon Hermida (Apr 23)
- Re: Fortinet Firewalls Consolvo, Corbett D (Apr 23)
- Re: Fortinet Firewalls Ness, Carl J (Apr 23)
- Re: Fortinet Firewalls Kellogg, Brian D. (Apr 23)
- Re: Fortinet Firewalls Kellogg, Brian D. (Apr 23)
- Re: Fortinet Firewalls Tupker, Mike (Apr 23)
- Re: Fortinet Firewalls Ouska, Julie (Apr 23)
- Re: Fortinet Firewalls Greene, Chip (Apr 23)
- Re: Fortinet Firewalls Avdagic, Indir (Apr 23)
- Re: Fortinet Firewalls Daly, Douglas (Apr 24)