Fortinet FortiGate Reviews

These devices allowed my organization to connect a network of gas stations and convenience stores nationwide. The VPN capabilities provide a reliable connection to our corporate network over very low cost internet services (basically, any Internet service locally available can be used for this connections).

We also leverage the NGFW, UTM and WLAN controller features to provide security for corporate network traffic, and secure, content-filtered guest internet access for customers in the convenience stores. All this at a relative low cost.

• LinkGreat firewall capabilities
• Great IPS and web filter for small remote locations, with VPNs for tunneling to the corporate network, makes this device a solid choice for many sites.

Stability and technical support are the two major issues I have found with Fortinet.

We’ve had cases of unexplained bugs that go away with a simple device reboot. Software updates usually help with these issues.

I have personally found that Fortinet advertising can be misleading. The devices will usually fail way before reaching the capacity advertised in the data sheets, especially when you activate several of the features the device can handle. This is not a dealbreaker for me, especially because of the cost. But I would advise care when dimensioning the devices you’ll need.

Customer Service:

Customer service in Fortinet is OK. Lately they've been making efforts in this area. They actually call you when licenses are about to expire which is a nice touch on their part.

Technical Support:

I would say technical support is 6/10. I’ve found tech support to vary, sometimes being decent, sometimes painfully inefficient. Much room for improvement here IMHO.

We still use Cisco for some cases. However, where we need the advanced security and UTM features, Cisco’s prices can be very restrictive. Fortinet is a much more cost-effective choice for those cases.

Initial setup was very straightforward. Interface is very friendly and easy to comprehend.

Before choosing this product, we also evaluated Cisco.

Be careful with dimensioning. Don’t expect the device to handle ALL the features. Usually firewall, Web Filter and the WLAN controller work well. But if you need IPS, app control and AV, I would advise over-dimensioning the device a bit (taking Fortinet data sheets as the reference).

We have secured our LAN IP subnets with VLAN segregation.

Layer-3 firewall and routing are the most valuable features. We use it as an internal firewall for VLAN segmentation.

When we need to enable Netflow on the firewall, there is a high CPU and memory usage that occurs. They should improve that high CPU and memory usage that occurs.

There were no stability issues.

There were no scalability issues.

Technical support is good.

We were previously using the Check Point and Palo Alto software. The price and user-friendly GUI are the reasons that we switched to this solution.

It is an easy setup and configuration.

It's a user-friendly and stable firewall. You can safely use it for all small and big LAN networks.

It has given us improved security over the internet.

Ease of use, single console, Unified Threat Management (UTM) features.

NGN, reporting and controls.

We had some stability issues but we upgraded.

There was a hardware limitation, affecting scalability.

I would rate the technical support as 8/10.

We had a different solution in the organization arising from different OEMs and this solution was chosen with consideration of requirements and costs.

The initial setup was simple but the DC was complex.

Go for long term pricing negotiated at the time of purchase.

We evaluated Check Point, Cisco ASA.

You should be clear concerning the scope and outcome you are looking for.

• Flexible enough to handle everything we could want
• Configuration layout is easily understandable
• Allows for firewall rules to be programmed and named in a way that makes it “readable”
• VPN support and some anti-virus protection.

It would be nice if backups could more easily migrate between different models.

I did not encounter any issues with stability.

No scalability issues, but communications is severely limited in our case by design.

They were our first firewalls on site.

It does require someone knowledgeable in routing, firewall rules, and these firewalls in particular. Once it is set up, they are easy to modify and maintain.

It is difficult as an end-user to setup continuing license contracts. It is possible to do between emails and their website, but it is practically impossible to find a phone number to call anyone directly.

We considered SonicWall .

It is an excellent product and works extremely well. If it is set up in a logical way, it is very easy to understand and modify. It is highly recommended to have a service “expert” familiar with these to set it up initially with customer direction.

• Complete and cost-effective next-generation firewall features with app identification, and IPS and URL filtering with SSL inspection.

• Better manageability
• Straightforward deployments
• Streamlined and reliable upgrades

Customers have more time to focus on security because maintaining the firewalls is completely hassle-free.

Grouping/tabbing (not only by interface) in the policy table of the web GUI would be a great addition.

I have used it for two years.

We have not encountered any deployment issues.

We have not encountered any stability issues. Stability has dramatically improved over the previous main version branch of FortiOS; 5.2.x and 5.4.x are stable enough for critical environments.

We have not encountered any scalability issues; proven that you properly sized the FortiGate model that fits your environment.

Customer service is sufficient.

The tech support is not excellent; this is where Fortinet saves money compared to others... But plenty of free, clear and public documentation is available and this compensates for the most part the tech support shortcomings.

We previously used Cisco ASA. We switched because the old ASA has no next-generation features.

IMHO It is the most straightforward enterprise-level next generation firewall.

All implementations were done in-house.

ROI is very high, it has hands-down the best price/performance/features ratio in the market...

The licensing model is straightforward, easy to understand and purchase; prices are fairly low compared to other vendors.

Before choosing this product, we also evaluated Check Point and Palo Alto Networks.

In version 5.4, they added a WAF feature that is absolutely unique for this kind of product; no other NGFW product can also be a WAF and this is a great added value...

FortiGate/FortiWifi:

• IPS
• Application control
• IPsec & SSL VPN
• Web filtering
• E-mail security
• Data leak prevention
• Wireless security and wireless controller
• Central antivirus (FortiClient)
• HW & SW token controller (FortiToken) etc.
• FortiManager

• Central management
• Administrative domains (can group devices according to geographical are, functionality, admins, etc.)
• FortiGuard management
• Logging and reporting
• Configuration version control and tracking
• Firmware management
• Scripting
• 
  
• FortiAnalyzer

• Centralized security log analysis and forensics
• Centralized graphical reports
• Customized reports
• Scheduled reports
• Queries
• Content archiving/data mining

Routing and security policies, central management and all of the other features help us to improve network performance and implement organization policies.

They could improve vulnerability scanning.

I have used it for three years.

We encountered a few stability issues; maybe one case per year.

I did not encounter any scalability issues.

Technical support is 10/10. They respond and offer solutions very fast.

We previously used Cisco solutions. They are more expensive, have fewer features, are more difficult to use, and response and help from
technical support is not quick.

For Fortinet solutions, the initial setup is very easy.

They are very cheap compared to other vendors.

Fortinet solutions are very easy to implement, proven, certified and tested.

There is no need to buy physical firewall hardware when you host multiple customers requiring individual secure access to their FW. You just create virtual domains (VDOMs).

You can create multiple Virtual Domains (VDOMs), which are treated as separate firewall instances. The reporting you receive out of this appliance is excellent. You will not need an external management system.

1. sFlow and NetFlow

I could not configure sFlow from the FortiGate graphical user interface. I realized that the sFlow configuration is available only from the CLI, and discovered that sFlow is not supported on virtual interfaces, such as VDOM links, IPsec, or GRE.

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network traffic. It is not supported on FortiGate for those who have a NetFlow analyzer/collector already setup in their network.

2. Policies

To control traffic in a firewall, you need to create and apply policies to the FW interfaces. By default, policies are sorted by FW interfaces and this makes FW interfaces an integral part of the policies. Zones provide the option to logically group multiple virtual and physical FortiGate firewall interfaces. Then, you apply security policies to those zones (logical groups of interfaces) to control traffic flow on those interfaces.

In a FortiGate unit with a lot of interfaces (including virtual interfaces), there is a high probability of having duplication of policies.

These devices are very stable.

They are easily scalable with multiple built-in interfaces. It supports a minimum of 10 VDOMs. VDOM supports all dynamic routing protocols like RIP, OSPF, BGP, and IS-IS. You do not need to reboot after enabling the VDOMs.

Area for improvement - there is one big configuration file with no separations for the unique VDOMs. Maybe they could separate individual VDOM configuration files with the root VDOM configuration file referencing the individual VDOM config files.

Customer Service:

Customer service is great, an eight out 10.

Technical Support:

I will give technical support an eight out 10.

We previously used different solutions as well. We did not switch, we have different requirements for different customers.

The user interface is relatively easy. The devices are easy to deploy and figure out if you have experience with other security appliances.

It was an in-house installation.

The ROI is great. These boxes are not that expensive compared to what they can do, their functionality, and the reporting you receive.

Fortinet licensing is straightforward and less confusing compared to Cisco. Fortinet has one or two license types, and the VPN numbers are only limited by the hardware chassis make.

I already have experience with Cisco ASA, so it was simply a customer preference and well within the budget.

Great appliances, and it is affordable.

The most valuable features for us are

• VPN
• WebFilter
• Firewall

It's features are highly customizable. This means that when our different business groups have different needs, the implementations can be customized to meet the demands of those groups and needs.

I'd like to see an improvement in the Bandwidth Management and Traffic limit control.

Also, the licenses are expensive, turning off some users.

We've used all units for five years, except the FortiGate 200D which has been in use for one year. Alongside FortiGate, we also have FortiAnalyzer 1000B and the FortiManager 200D.

There have been no issues with the deployment.

There have been no stability issues.

It has not been a problem to scale it.

Customer service is very good.

Technical support is very good.

I depend on different products from different vendors depending on the required function.

The initial setup is simple in the CLI or Web GUI.

An in-house network engineer implemented it using the best practice recommendations from the vendor.

The appliances and licenses are expensive, and I know some people use other vendors because of this.

You should know the customization you want from the beginning, and plan your requirements appropriately.

• Flexibility
• Flow tracking
• B2B VPN

It's good for what it is. I could achieve the same results with a pfSense firewall. This one just comes in a nice hardware package.

Better documentation about usage of the CLI. I learned most of what I know in diagnostic functionality through saving SSH sessions with the customer support staff while in WebEx sessions.

I have tried looking up the manuals. They are OK in some respects, but I feel exhaustive documentation about the CLI "with examples" should be there, and I feel it's not.

I'm saying, hey lets consolidate some of the primary real world scenarios like:
Section A: - Troubeshooting B2B VPN peering with a business partner or client when initially setting up the VPN tunnel.

Inevitably, there are always quirks and nuances between the fortigate vendor versus peering with a Palo Alto or an ASA firewall or even a Juniper SSG.

Imagine providing all steps, command line syntax, and GUI (if available) and how to take steps to debug the flow and see what's failing.
Sometimes it's super hard to figure out what's wrong with a fortigate VPN unless you know the commands on the CLI to see the flow and how to interpret it.

If they had all the methods / syntax and the "how's and why's" for a scenario; even possibly an instructional video showing how via the CLI and gui alongside the documentation. It would be like the pearly gates had opened and I had gone to heaven.

I have used it for three years.

I never encountered any stability issues. It is a very stable product.

Scalability's not been an issue for my org. We only utilize it for certain applications.

Technical support is excellent, although it can be a bit difficult to understand the tech. As with most support staff from almost all vendors now, the support comes from somewhere across the pond.

On the site where the FortiGate is stationed, it's never been changed out.

Initial setup was straightforward.

Buy the support package! Upgrades, advice about upgrade paths, and troubleshooting help is paramount. There have been some times where, without it, I'd have been dead in the water.

This was an in-place firewall when I integrated the site to my org.

Figure out what features you want, and what policies you want. Look up how to do it in advance, and create an implementation plan.

Plan for policies, routing, NATting, etc. Create a step-by-step process in advance, possibly create the environment in a DEV sandbox, test it, then implement.

It has a good feature set. However, sometimes you are forced to solicit technical support to get it working.

Also, I find the web interfaces sometimes do not display things properly.