Educause Security Discussion mailing list archives

Re: Fortinet Firewalls

From: "Ouska, Julie" <Julie.Ouska () CCCS EDU>
Date: Thu, 23 Apr 2009 10:06:35 -0600

I checked with my Manager of Network Technologies and this was his
response:
Our current production firewalls are Cisco ASA's.  They have not given
us any issues like we had with the old PIX's.  We do have the ability to
run the firewalls on the Fortinet devices as well however they are
currently only being used for web filtering.  As for the SSL VPN we
tested it on the ASA's the Fortinets and Juniper and Juniper is far
superior to the others in the SSL VPN environment.  If I was looking to
replace firewalls in the future I'm not certain that I would use Cisco
or Fortinet and might go down the Juniper path with that product as
well.
Julie
Julie Ouska
CIO/VP, Information Technology
Colorado Community College System
(720) 858-2781
julie.ouska () cccs edu
www.cccs.edu
 
 
 
 
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Tupker, Mike
Sent: Thursday, April 23, 2009 9:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls
 
I'm in the same boat. I've been looking at Watchguard and Sonicwall, but
I also have concerns about performance of the all in one devices. 
Currently we have a Secure Computing Sidewinder G2 UTM (now mcafee)
device. In terms of performance it works well but it has no useful
reporting unless you buy a very expensive software package (or unless
you like looking through UNIX logs with grep). The yearly maintenance
cost is also extremely high on the G2 compared to similar UTM devices.
I've also looked at the Palo Alto offerings and am pretty impressed by
the ease of management. (almost looks a little to easy) J
Mike Tupker
Systems Administrator
Mount Mercy College
Office: (319) 363-1323 x1401
Mobile: (319) 538-1644
If you need assistance with an computer issue please contact the
helpdesk at x4357 or http://help.mtmercy.edu.
 
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kellogg, Brian D.
Sent: Thursday, April 23, 2009 9:42 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls
 
I completely agree and excellent advice.  Unfortunately my budget and
security requirements are at odds.
 
 
 
Thank you,
 
Brian Kellogg
Network Services Manager
St. Bonaventure University
716-375-4092
 
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ness, Carl J
Sent: Thursday, April 23, 2009 10:39 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls
 
Beware of kitchen-sink devices. If you need a firewall, get a firewall,
if you need IPS, get an IPS box. When you're talking enterprise-class,
it really is better to stay away from vendors and solutions that claim
to do more than one thing. Usually they do many things kinda-sorta well.
I'd rather have more than one box that does one thing and does it really
well. Soho or branch office, well that's where all-in-one's excel. 
Just my .02
Carl
 
Carl J. Ness, M.S., CISSP
Senior Security Analyst
CIO Office, University of Iowa
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Consolvo, Corbett D
Sent: Thursday, April 23, 2009 9:14 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls
 
We use ASAs, they have very good basic firewall performance (best I've
seen) but do not have the intelligence that the pure-play firewalls
have.  I have been interested in looking at Palo Alto firewalls but have
not had a chance past a quick demo.
Thanks,
Corbett
Texas State University
________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Ramon Hermida
[rhermida () UTPA EDU]
Sent: Thursday, April 23, 2009 9:07 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls
We are using Fortinet firewalls for several firewall purposes.  We run
these in a clusters (we are using their mid-range blade solution) and
active-active mode to do load-balancing.  We have been using IPS, A/V
scanning, web filtering and some traffic shaping quite successfully for
a couple of years now.  We have also used their IPSEC, and SSL VPN
functionality without any issues.  We are actually quite impressed with
the IPS functionality because it allows blocking not only by signature,
but also by malicious behavior.  We are currently passing about 240 Mbps
of bandwidth and what we like about the solution is that when our
bandwidth needs increase, we just add additional blades to the cluster.
Last time I checked Cisco ASA could not handle IPS scanning for more
than 100 Mbps of bandwidth.  
Please contact me off-list if you wish further details as I don't feel
comfortable disclosing further details of our network infrastructure in
a public forum.
Regards
-RH
Ramon Hermida
Senior Network Security Analyst
University of Texas Pan American
 
________________________________

From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Pufahl, Jason
Sent: Thursday, April 23, 2009 8:27 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Fortinet Firewalls
 
The University of Connecticut uses Fortinet firewalls at a variety of
locations throughout campus.  Unfortunately, we deployed them at our
Internet borders and they have never performed as advertised.  We have
had no end of significant software issues related to A/V and IPS
scanning and performance.  At our lower traffic volume sites the
hardware performs adequately.  Our opinion is that Fortinet is not
suited for an enterprise deployment, but that they fit well in a small
office/small network scenario.
We are in the process of evaluating different vendors now with the
intention of replacing the Internet facing  firewalls before next fall.

Feel free to contact me off list if you would like additional
information.
-Jason Pufahl
Team Lead, Network Security
University of Connecticut
 
 
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Kellogg, Brian D.
Sent: Thursday, April 23, 2009 8:57 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Fortinet Firewalls
 
We currently run an old Pix firewall and it's done the job well, but
it's time to retire it.  We are looking at Fortinet and Cisco ASA at the
moment and are quite interested in Fortinet due to the its price and
capabilities at that price point.  Would anyone be willing to share
their experience with Fortinet firewalls and their tech support?  We are
most interested in their VPN, both user and site to site; SSL VPN; virus
scanning; and IPS features.
Suggestions of other vendors that can provide the same features are
welcome as well.
 
 
Thank you,
 
Brian Kellogg
Network Services Manager
St. Bonaventure University
716-375-4092

Current thread:

Fortinet Firewalls Kellogg, Brian D. (Apr 23)
- <Possible follow-ups>
- Fortinet Firewalls Kellogg, Brian D. (Apr 23)
- Re: Fortinet Firewalls Pufahl, Jason (Apr 23)
- Re: Fortinet Firewalls Ramon Hermida (Apr 23)
- Re: Fortinet Firewalls Consolvo, Corbett D (Apr 23)
- Re: Fortinet Firewalls Ness, Carl J (Apr 23)
- Re: Fortinet Firewalls Kellogg, Brian D. (Apr 23)
- Re: Fortinet Firewalls Kellogg, Brian D. (Apr 23)
- Re: Fortinet Firewalls Tupker, Mike (Apr 23)
- Re: Fortinet Firewalls Ouska, Julie (Apr 23)
- Re: Fortinet Firewalls Greene, Chip (Apr 23)
- Re: Fortinet Firewalls Avdagic, Indir (Apr 23)
- Re: Fortinet Firewalls Daly, Douglas (Apr 24)