IDS mailing list archives

RE: Fortinet's fortigate 100 devices

From: "Jonathan Lebowitsch" <jlebowitsch () pacbell net>
Date: Mon, 2 Jan 2006 14:02:51 -0800

 
Joel, what Fortigate model do your numbers refer to? Is it
the 3600 that you reviewed?

thanks

-----Original Message-----
From: Joel M Snyder [mailto:Joel.Snyder () Opus1 COM] 
Sent: Thursday, December 29, 2005 8:18 AM
To: squid () oranged to; focus-ids () securityfocus com
Subject: Re: Fortinet's fortigate 100 devices

- Has anyone got any advice regarding the network

performance of these

devices in real world environments. During my testing I

noticed they

are using a Realtek 8139 based NIC. I personally have

never had any

issues with Realtek 8139 cards in environments ranging

from slow to

medium/high bandwidth utilization (40-50Mbps) however any

feedback

about how the Realtek network cards perform in the

Fortigate would be

greatly appreciated.


I did a test of Fortinet products and found them to be
highly CPU-bound once you turn on all features.  For example
(TPS = HTTP transactions per
second):

        only firewall turned on:        2000 TPS/70 Mbps
        IDS turned on:                  1000 TPS/39 Mbps
        IDS+IPS turned on:              1000 TPS/39 Mbps
        IDS+IPS+A/V turned on:          100 TPS/2 Mbps
        IDS+IPS+A/V+VPN tunnels:        50 TPS/1 Mbps


- I noticed that the system has got HA functionality. It

appears to be

very similar to the way in which VRRP works. However it

does not state

that its actually VRRP (licensing issues perhaps). Does

anyone have

any feedback as to how good the fail over/fail back/

redundancy issues

are on these devices?


It works quite well, for some values of "quite well."  See
my writeup in Network World last week:
http://www.networkworld.com/reviews/2005/121905-ssl-ha.html?
review=sslvpn

The situation is that the HA is really an availability
thing, not a HIGH availability thing.  Fortinet is not
sharing all the state information across the active/active
pair, which means that when you have an HA event, you'll
failover to the new device, but many of the transactions
might have to be restarted (such as, for example, requiring
users to re-authenticate).  They have an internal load
balancer, which looks slick in the glossy brochures, but
once you get to testing it, you'll see that they are not
load-balancing everything.  As I remember, only A/V is
really load balanced (which, as you can see by the numbers
above, is the single most significant drag on system
performance).

- Any overall opinions or feedback from anyone that has

used the

device in any production environments would be fantastic.

Also if

anyone knows of any competing products I would like be

very interested

to know about them.


I found that their SSL VPN features were buggy and
incomplete.  I have severe reservations about their QA
process.  In the past, they have "announced" features (like
their 2.8 release) and then have them sit in beta or 'not
generally available' for months at a time.  For example,
they told me that their SSL VPN feature (in 3.0) was
shipping and ready to go, but in fact it's only available on
specific request to technical support.  In other words, they
often say "you can get this on our web site," but in fact,
you have to beg technical support for it.

I don't know what the situation is with their internal
software QA and development process, but from the outside,
it has a certain malingering odor to it that I would be
suspicious of.

All that being said, I have talked to folks who have used
them for in-line A/V and are very happy.  Since this is the
oldest and most stable feature of the product, if that's
your goal, then I'd go for it. 
  But since you're writing to Focus-IDS (and not
Focus-Antivirus), I would be a bit more suspicious of their
capabilities in the IDS+IPS space, and I would test them
much more carefully.


- I am also interested to know how everyones experiences

are in

regards to Fortinet support?


I have only one data point.  On 20-November, I sent in a
ticket asking for copies of the 3.0 manuals (only 2.8 is on
the web site) and the newest 3.0 software.  On 28-November,
I got a response saying that they would research that, and
on 29-November, I got a response telling me how to download
3.0beta build 89 (although the build that had been shipped
to me was build 111).

jms

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Phone: +1 520 324 0494 (voice)  +1 520 324 0495 (FAX)
jms () Opus1 COM    http://www.opus1.com/jms    Opus One

------------------------------------------------------------
------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world
attacks from CORE IMPACT.
Go to
http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_
040708
to learn more.
------------------------------------------------------------
------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
------------------------------------------------------------------------

Current thread:

Re: Fortinet's fortigate 100 devices Louis Wang (Jan 02)
- <Possible follow-ups>
- Re: Fortinet's fortigate 100 devices Joel M Snyder (Jan 02)
  - RE: Fortinet's fortigate 100 devices Jonathan Lebowitsch (Jan 06)
- Re: Fortinet's fortigate 100 devices hank . schupp (Jan 02)
- RE: Fortinet's fortigate 100 devices Andrew Plato (Jan 02)
  - Re: Fortinet's fortigate 100 devices Bob Walder (Jan 05)