Fortinet FortiSIEM Reviews

FortiSIEM is primarily used as a monitoring tool that can monitor all the incidents and events occurring in the network. The main concern of the customer is to view all the events and incidents on a single pane where everything can be managed.

FortiSIEM is very efficient and helps discover all the points of incidents, identifying users that create loopholes in the network and determining potential points of contact.

The most valuable feature is the ability to view all the network events on a single pane and find the point of contact or point of the incident. Along with FortiSIEM, a solution can be provided, which is a feature I admire.

There could be improvements like introducing some solutions directly into FortiSIEM to avoid the need for separately purchasing additional tools like FortiStore.

I have approximately one year of experience working with FortiSIEM.

I rate the stability of the solution as nine out of ten.

The scalability of the solution is rated eight out of ten.

I rate the technical support provided by Fortinet as nine out of ten.

Positive

The initial setup can vary from being easy to moderate depending on the network size. If the network is small, it might be easy. That said, if it's semi-small or semi-large, it's a moderate setup.

The pricing of FortiSIEM is moderate; it is neither very costly nor very cheap.

I can recommend FortiSIEM, but it depends on customer needs, network size, and preferences. Customers can also consider replacing a physical SOC team with FortiSIEM.

I'd rate the solution eight out of ten.

We primarily use the solution for security.

Fortinet has a unique model, which they call MSSP, managed services security partner. They select a telco in a country, partner with them, and offer them the certification track. We are an MSSP partner in Pakistan. FortiSIEM and FortiSOAR, their overall solutions that are there for threat mitigation, visibility, control, et cetera, is well integrated.

We like the integration of all of these Fortinet platforms together. Everything is integrated well, and we are able to sell that as a service to our customers.

There's a VR feature that is basically segmenting these firewalls, these security devices. Using that feature, we can make a network slice for each and every enterprise customer. All of the infrastructure is deployed in our data center, yet customer uses it as if it is their own.

FortiSIEM is not a market leader in the SIEM space. In SIEM solutions, typically, our customers ask for Splunk, or they ask for Logarithm. Some legacy customers ask for IBM. This isn’t as popular. Fortinet needs to grow in that perspective. They need to become a leader in the magic quadrant of Gartner and be seen as visionary so that the top customers, the big customers, take them seriously in the SIEM space.

I’ve been using the solution for more than a year now.

This is an absolutely stable solution. There aren’t bugs or glitches, and it doesn’t crash or freeze. It’s reliable.

We don’t have users per se. We are selling it. We have just started selling it. At this point, we have more than double-digit customers onboarded who are using the services.

My understanding is that the solution is entirely scalable.

We find technical support quite helpful. They're very responsive. They have a very good on-the-ground team in Pakistan.

While I am responsible for the overall product owners within PTCL, within my organization, I don’t directly deal with implementation tasks.

My colleagues tell me it is easy to deal with, however.

I can’t speak to the general cost of the solution. They have a very flexible model for partners like us, however. It is a pay-as-you-grow model.

I’m not sure which exact version I’m using.

We are a cloud provider. Whatever we do, we sell it to our clients. We're not an enterprise, we are a public cloud provider, PTCL, and we sell to our clients.

I’d rate the solution eight out of ten.

If a company already has Fortinet devices in their network they have all the components of security of Fortinet, then it will make sense for them to consider FortiSIEM. If, however, it doesn’t have Fortinet security devices, it may be difficult to leverage.

We use the solution for monitoring, intrusion detection, and user behavior analytics. We run the dashboards to detect anomalies. We have our own incident tracking solution. We use it to track the time to detect versus the time to resolve and close the ticket.

The product kicks the logs automatically without an agent. We also use it for file integrity monitoring. The analytics engine is quite good. It can correlate traffic across our various platforms and give us a standard dashboard view of what's happening. By seeing what's happening on the network, we can pick anomalies like encrypted traffic, policy violations, and unusual accesses. It helps us be compliant. We can push back on the users and the IT team and keep them accountable based on what they are doing across their network.

Real-time monitoring makes life quite easy for me. Once I have the assurance that I have visibility into what's happening, I can report to the business and my boss that all is well. It also allows me to keep the security operations team on its toes. We do a lot of red teaming. It allows us to see whether the SOC team is doing what it is supposed to do.

The tool is relatively easy to integrate. It's agentless. We have a Windows environment majorly. We can tell the product to monitor everything at once. As long as it's authenticated, it will fix what we need.

Network detection and response is a separate product. That's how I ended up with Wazuh. I'm looking for something to help me on the network and endpoint level. The vendor must look to consolidate and improve that area.

I have been using the solution for more than five years.

The tool is quite stable. I rarely ever need to reboot or check things. I just fine-tune the rules based on the new use cases that keep coming up.

We've not had any troubles with the tool’s scalability. We are a small growing bank. We have around 800 endpoints at the moment.

I have no complaints with the technical support.

Positive

I rate the ease of setup a seven to eight out of ten. It's agentless. We can hit the ground running. A third-party provider currently supports us in maintaining the product. We have no complaints regarding the maintenance work.

The price is competitive. We can scale based on the licensing. It is an annual CapEx.

I am using only Fortinet and Wazuh currently. I have worked with AlienVault and IBM QRadar in a different organization. The products have their own unique space in the market. SolarWinds has a logging engine. IBM is huge.

It's a good tool if we are small and growing. It is easy to deploy. The support is available. The product is easy to learn. Overall, I rate the solution a nine out of ten.

Fortinet FortiSIEM is used to audit my servers and communications. It effectively handles vulnerability detection and correlates traffic to identify security issues or anomalies. It is also used to correlate my logs, which helps detect outliers and identify unusual events in my network.

It detects new technologies, vulnerabilities, and emerging threats on the internet.

I have been using Fortinet FortiSIEM for four years.

500 users are using this solution.

The product could benefit from more local support. There is an opportunity to improve the support for products like Deepgram and FortiSIEM.

Positive

The deployment of the platform took some time to set up and configure. I have experience using SolarWinds and its tools.

The initial setup is very easy and takes four months to complete. They need to focus on this because the provider did much of the configuration rather than them doing it directly. The support we receive helps us improve in comparison to using this platform alone.

I rate the initial setup an eight out of ten, where one is difficult, and ten is easy.

Our provider does the deployment and maintenance.

It has a good price and is more competitive than the others.

If the protection and monitoring make my network safer by detecting outliers and events, I can report these findings to my manager. They need to be aware of live events affecting the company.

Overall, I rate the solution an eight out of ten.

We are using the solution for our customers. 

The pricing is good. 

The best features are the dashboard and the integration between the Fortinet products. We can connect the nodes very easily.

The initial setup is very easy.

It's great to use both this and FortiSOAR. It makes everything better. If you use them together with Fortianalyzer, it's better than Splunk.

The solution is stable. 

It is a scalable product. 

Technical support is helpful. 

There are some connectivity issues with FortiAnalyzer and FortiGate.

They need to integrate better with Cisco and Palo Alto. 

The solution is very stable. It offers good reliability.

We have found that it is possible to scale the solution.

With technical support, I often direct tickets to them in terms of licensing, and within a maximum of two to three hours, the license will be active. They are very helpful. They are very responsive. They are always responding to the tickets and assisting us. You can show your customer their level of engagement. It's very impressive. Customers are happy.

Positive

In Saudi Arabia, customers are doing Splunk or LogRhythm. In Jordan, we are using Fortinet due to the fact that it is cheaper. 

There is not a huge difference between all the technology as all the partners use the same technology.

The solution is quite simple and straightforward to set up. I'd rate it a four out of five in terms of ease of execution.

There is, for example, no need to more configuration. It's very easy. In the cloud, you just reinstall the virtual machine, its main connectors in Big Sur, and then, on the customer side, you put the small virtual machine at the connectors.

The pricing is very good. It's reasonable and competitive. I'd rate the pricing at five out of five. 

I'd rate the solution a nine out of ten.

We use the Fortinet FortiSIEM tool for log monitoring and alert generation. We use Fortinet FortiSIEM to collect logs from the critical servers of the customer's infrastructure, like active directory servers and file servers. We also collect logs from a few security devices like the firewall, the proxy, and the antivirus setup. Based on that, our team checks the logs, and we get an alert to take action on the development.

Fortinet FortiSIEM has its own validated and authentic IP database that marks malicious IP attacks against the firewall and generates an alert for the same.

Our team tried configuring MS SQL database logs with Fortinet FortiSIEM, but it did not work for some time.

Fortinet FortiSIEM's database monitoring could be made easier, like the servers and the security devices.

I have been using Fortinet FortiSIEM for the past four to five months.

Fortinet FortiSIEM is a stable product.

Fortinet FortiSIEM is a scalable product. We initially configured five devices, and then we could scale it to twenty. There could be some issues if the device count goes up to hundreds and thousands. Around 10 to 15 engineers use Fortinet FortiSIEM in our company.

Overall, I rate Fortinet FortiSIEM an eight out of ten.

We have eight use cases installed, and we are collecting log sources from most of the relevant endpoints. We did all that configuration ourselves. So, the product didn't really have a lot to do with it.

It is deployed on a private cloud. We manage the cloud infrastructure ourselves, and its primary purpose is to monitor and protect our network devices and our own business systems, not necessarily our customer-facing services.

We are most probably on version 3. We are not on the current release.

The event correlation is pretty robust. The GUI is pretty good. 

Their technical support is horrible. By horrible, I mean a train wreck of a disaster that has fallen off a bridge and caught fire.

The out-of-the-box log ingestion for the supported devices is fine. The main issues arise when you're trying to ingest a log source that's not supported. You're left to figure it out yourself. You have to figure out the custom parsing yourself. There should be better support for nonstandard log sources. That's because unless you can ingest logs from all of your key controls, the solution will have gaps. Out of the box, this product doesn't support a lot of normal security devices that are common, and then you get into building custom parsers yourself to get it to work.

The other problem is infrastructure stability. The architecture scaling rules that the vendor provides are vastly understated. So, we constantly run into stability problems that we end up figuring out and solving by throwing more infrastructure at it because they're understating the infrastructure requirements. It is understandable that they would do that, and you see why they would do that, but it is causing no end of problems.

We've been using it for about three years.

Scaling is problematic because of the architecture. It is very hard to figure out the required compute, memory, and disk space because the documentation is so bad. Like any SIEM, it is very compute-heavy. So, scaling is always a problem. We've come to the conclusion that it is not scalable to the magnitude that we require.

I have two system administrators at the moment who are a part of my SOC. We have a very small operation. My SOC right now is comprised of two analysts, a senior analyst, and a manager. All of them are technical, and all of them are involved in managing this solution in one way, shape, or form.

We use the product as one of our internal controls. We have several others, which I won't get into, and we do not plan on scaling it beyond that. We have been piloting some customer-facing use cases, and we will be deprecating those, scaling them back, and moving them to the Microsoft product.

Their technical support is really bad. Their account support and product support are fine. I would rate their technical support one out of ten.

Negative

The initial deployment was done with the partner. Since then, we have done additional endpoints and upgrades, and we are doing all the work ourselves now. 

We used a partner to help us with the initial setup.

We are not really tracking ROI. We just view it as a cost of business, and we are not driving any revenue from it. So, it is just a sum cost.

This is probably more on the lower cost end of the spectrum compared to competing products.

Fortinet's license model is based on events per second, which makes sense, but that's not typical. It makes it very hard to calculate what your costs are going to be as you scale the platform because some log sources, such as firewall logs, are very noisy, and there are lots and lots of events per second, but some of them are not. So, it becomes a bit of a science experiment trying to guess what your costs are going to be as you scale the solution. This is where other competing products perhaps have a more straightforward license model.

In terms of additional costs, we also pay for our cloud infrastructure to run it. If your log source is not supported, you're going to have to develop custom parsing. So, you're going to incur that development cost. There is also the normal day-to-day administration cost.

We implemented Fortinet FortiSIEM for our own use, and then we have been exploring the idea of using it for a customer-facing or a managed service provider multi-tenant SIEM. We offer managed SIEM services to our customers, and we've come to the conclusion that it is not well suited for that purpose. We are in the process of installing Microsoft Sentinel and Azure Lighthouse for a new service.

My overall impression is that this is an SMB product. It is not a large-scale enterprise or multi-tenant product. Even though they tell you it'll do that, it is an SMB tool, and it is pretty good for that purpose. However, most institutions would not have the required in-house expertise for it. You need a dedicated, skilled technical administrator. You need your own DevOps team, which small and medium businesses generally don't have, or you can do what we did and use a partner to do the work for you.

I would caution others to fully understand the support model and talk to reference customers about it and have a solid understanding of what their internal resource needs will be to implement and support it. That's because it is complicated. Depending on the product you pick, you would need some in-house technical capabilities. For bigger companies, that's usually not a problem, but for small and medium businesses, that can be a problem.

I would rate it a six out of ten. It is suitable for its purpose. It is targeted at the SMB market. The feature function is fine. I would rate it higher if their technical support was better.

We use Fortinet FortiSIEM for storage of security information and analysis, as well as for alerts from the 50-60 services that we have. All of our webs are linked to FortiSIEM. It's a form of SOC tool and data is used for identifying trends and what's happening around the networks. We're customers and end-to-end users when it comes to FortiSIEM, but for other Fortinet products we're either partners or a value-added reseller. I'm the principal cloud architect in our company. 

I think the most valuable feature is the easy alert setup, it's very important. It's quite simple to use and enables us to have different alerts in different categories. SOC is able to see all the red alerts, it's impossible to miss them. It's a good tool for analysis and for SOC. We upload all network detection tools that support FortiSIEM and can investigate for different alerts or vulnerabilities. A great feature is that you can use Python scripting for data stack. It's great for devices that don't generate a genuine local source of information. 

This solution is not very good on non-API features and lacks that functionality. We've raised multiple tickets to Fortinet about this and they are pending there. The product development hasn't been fast enough to ensure it can function on the cloud. It's excellent when you download and get the security locks but in areas like Microsoft 365, you have to fetch the security access using APIs and they don't update quickly enough. If Microsoft announces a new service today, we have to wait at least six months before FortiSIEM start supporting it. It's crucial that the API support is updated, for now FortiSIEM lacks functionality compared to its competitors.

It's a very reliable solution, we haven't had any outages during the last year and we're using it a lot. We have over 40 people using it 24/7.

This solution is not very scalable if you have a lot of security events; it's focused more around smaller companies. We've become too big for it with 48,000 devices which we are monitoring and we had to create another instance and split things. It's not perfect because it requires purchase of a second license. We use the solution all the time. 

Fortinet support is very fast. If I need to ask something, I'll get a response within a couple of hours. 

The initial setup was quite straightforward. They have good documentation and once we deployed, there were only a couple of times where we needed a little bit of support because there were delayed reactions. 

The licensing is on an annual basis and calculated on the set up number. Of course, the licensing cost could be less but it's not too bad and is quite nicely priced. With Centreon or Splunk you just pay for the use but if we compare the cost of FortiSIEM with Splunk, it's less than half the price.

We took a look at IBM QRadar, which was the main competitor, and we also looked at Splunk. Splunk lost out quickly because of the cost and we ended up going with Fortinet because it was much easier to manage and implement things than QRadar and it has the Python scripting.

If your use case suits this solution, I would recommend it. If you are a professional operator and you're into pre-investing, and not just paying per use, then FortiSIEM is one of the best options you can have.

I rate this product an eight out of 10.