Fortinet FortiSIEM Reviews

We primarily use the solution for security.

Fortinet has a unique model, which they call MSSP, managed services security partner. They select a telco in a country, partner with them, and offer them the certification track. We are an MSSP partner in Pakistan. FortiSIEM and FortiSOAR, their overall solutions that are there for threat mitigation, visibility, control, et cetera, is well integrated.

We like the integration of all of these Fortinet platforms together. Everything is integrated well, and we are able to sell that as a service to our customers.

There's a VR feature that is basically segmenting these firewalls, these security devices. Using that feature, we can make a network slice for each and every enterprise customer. All of the infrastructure is deployed in our data center, yet customer uses it as if it is their own.

FortiSIEM is not a market leader in the SIEM space. In SIEM solutions, typically, our customers ask for Splunk, or they ask for Logarithm. Some legacy customers ask for IBM. This isn’t as popular. Fortinet needs to grow in that perspective. They need to become a leader in the magic quadrant of Gartner and be seen as visionary so that the top customers, the big customers, take them seriously in the SIEM space.

I’ve been using the solution for more than a year now.

This is an absolutely stable solution. There aren’t bugs or glitches, and it doesn’t crash or freeze. It’s reliable.

We don’t have users per se. We are selling it. We have just started selling it. At this point, we have more than double-digit customers onboarded who are using the services.

My understanding is that the solution is entirely scalable.

We find technical support quite helpful. They're very responsive. They have a very good on-the-ground team in Pakistan.

While I am responsible for the overall product owners within PTCL, within my organization, I don’t directly deal with implementation tasks.

My colleagues tell me it is easy to deal with, however.

I can’t speak to the general cost of the solution. They have a very flexible model for partners like us, however. It is a pay-as-you-grow model.

I’m not sure which exact version I’m using.

We are a cloud provider. Whatever we do, we sell it to our clients. We're not an enterprise, we are a public cloud provider, PTCL, and we sell to our clients.

I’d rate the solution eight out of ten.

If a company already has Fortinet devices in their network they have all the components of security of Fortinet, then it will make sense for them to consider FortiSIEM. If, however, it doesn’t have Fortinet security devices, it may be difficult to leverage.

Fortinet FortiSIEM is used to audit my servers and communications. It effectively handles vulnerability detection and correlates traffic to identify security issues or anomalies. It is also used to correlate my logs, which helps detect outliers and identify unusual events in my network.

It detects new technologies, vulnerabilities, and emerging threats on the internet.

I have been using Fortinet FortiSIEM for four years.

500 users are using this solution.

The product could benefit from more local support. There is an opportunity to improve the support for products like Deepgram and FortiSIEM.

Positive

The deployment of the platform took some time to set up and configure. I have experience using SolarWinds and its tools.

The initial setup is very easy and takes four months to complete. They need to focus on this because the provider did much of the configuration rather than them doing it directly. The support we receive helps us improve in comparison to using this platform alone.

I rate the initial setup an eight out of ten, where one is difficult, and ten is easy.

Our provider does the deployment and maintenance.

It has a good price and is more competitive than the others.

If the protection and monitoring make my network safer by detecting outliers and events, I can report these findings to my manager. They need to be aware of live events affecting the company.

Overall, I rate the solution an eight out of ten.

We are using Fortinet FortiSIEM on-premises and Azure Sentinel on the cloud. We are a university with an E5 license, and we cannot pump everything to Azure Sentinel because it will cost quite a lot. That's why we have two SIEM systems, one for cloud and one for on-premises.

We use Fortinet FortiSIEM for our on-premises services. It has a perpetual license, and we pay once. Depending on your storage size, you can pump to your on-premises SIEM system whenever you like. Our strategy is to use Azure Sentinel as little as possible. Since we have two SIEM systems, vendor integration is a problem, and we need more staff.

We have many application systems, and I can set up Fortinet FortiSIEM for users to monitor their systems.

The challenge I face with Fortinet FortiSIEM is the lack of support. I need to figure out many things by myself. Getting support for the solution is very hard. The support person is pretty good and nice. I need to go through the professional service channel for more professional support. Since my company cannot pay for professional services, I have to figure many things out myself.

For example, I have to figure out the best approach to design an architecture to fit into my environment. Then, I will go through the standard support channel to get confirmation from tech support, but they cannot help. I will return to the sales channel and try to get the right architecture for our environment approved.

Fortinet FortiSIEM is a new product, and Fortinet only supports one or two people. Fortinet FortiSIEM is not a mature solution.

Fortinet should educate existing customers about new features that can help them. Like Microsoft products, Fortinet should provide training or teaching material on YouTube. Fortinet provides free training on its website, but sometimes going through the whole course takes too long. I hope Fortinet improves this part.

Fortinet should provide 30 minutes or an hour-long webinars where we can learn lots of new things. Without this information, customers have to try to figure out things by themselves. Many smart engineers can do that, but they may not have enough resources or time to do it.

I have been using Fortinet FortiSIEM for six months.

I rate the solution’s stability a four out of ten.

I rate the solution a four out of ten for scalability.

I like Azure Sentinel more than Fortinet FortiSIEM because it has a lot of documentation, information, and training material. The problem with Microsoft is that they keep changing things regularly and you need to be updated about their changes. For usability, Azure Sentinel is much better than Fortinet FortiSIEM.

We purchased the solution from a third-party company. Their engineer helped us to design the tool. Two to three months later, we realized that the design was not good for our environment and we needed to change it. When we got back to the third-party we purchased it from, their new engineer knew nothing about FortiSIEM. So, I had to set up the tool myself.

Fortinet FortiSIEM is not an expensive solution. We purchased a perpetual license for FortiSIEM because Azure Sentinel is too expensive. We have to keep Fortinet FortiSIEM if we want to have the same system for the whole university. After purchasing the product, you also need lots of resources to develop it. If the price is mature, you don't need to spend too much resources to develop it.

You need a dedicated person to develop and work with the solution. Fortinet FortiSIEM is suitable for big companies because they have resources. It is not good for one person or field engineer to look after many systems. Compared with Azure Sentinel, Fortinet FortiSIEM is much cheaper.

Overall, I rate the solution a five out of ten.

We use the solution for monitoring, intrusion detection, and user behavior analytics. We run the dashboards to detect anomalies. We have our own incident tracking solution. We use it to track the time to detect versus the time to resolve and close the ticket.

The product kicks the logs automatically without an agent. We also use it for file integrity monitoring. The analytics engine is quite good. It can correlate traffic across our various platforms and give us a standard dashboard view of what's happening. By seeing what's happening on the network, we can pick anomalies like encrypted traffic, policy violations, and unusual accesses. It helps us be compliant. We can push back on the users and the IT team and keep them accountable based on what they are doing across their network.

Real-time monitoring makes life quite easy for me. Once I have the assurance that I have visibility into what's happening, I can report to the business and my boss that all is well. It also allows me to keep the security operations team on its toes. We do a lot of red teaming. It allows us to see whether the SOC team is doing what it is supposed to do.

The tool is relatively easy to integrate. It's agentless. We have a Windows environment majorly. We can tell the product to monitor everything at once. As long as it's authenticated, it will fix what we need.

Network detection and response is a separate product. That's how I ended up with Wazuh. I'm looking for something to help me on the network and endpoint level. The vendor must look to consolidate and improve that area.

I have been using the solution for more than five years.

The tool is quite stable. I rarely ever need to reboot or check things. I just fine-tune the rules based on the new use cases that keep coming up.

We've not had any troubles with the tool’s scalability. We are a small growing bank. We have around 800 endpoints at the moment.

I have no complaints with the technical support.

Positive

I rate the ease of setup a seven to eight out of ten. It's agentless. We can hit the ground running. A third-party provider currently supports us in maintaining the product. We have no complaints regarding the maintenance work.

The price is competitive. We can scale based on the licensing. It is an annual CapEx.

I am using only Fortinet and Wazuh currently. I have worked with AlienVault and IBM QRadar in a different organization. The products have their own unique space in the market. SolarWinds has a logging engine. IBM is huge.

It's a good tool if we are small and growing. It is easy to deploy. The support is available. The product is easy to learn. Overall, I rate the solution a nine out of ten.

We have eight use cases installed, and we are collecting log sources from most of the relevant endpoints. We did all that configuration ourselves. So, the product didn't really have a lot to do with it.

It is deployed on a private cloud. We manage the cloud infrastructure ourselves, and its primary purpose is to monitor and protect our network devices and our own business systems, not necessarily our customer-facing services.

We are most probably on version 3. We are not on the current release.

The event correlation is pretty robust. The GUI is pretty good. 

Their technical support is horrible. By horrible, I mean a train wreck of a disaster that has fallen off a bridge and caught fire.

The out-of-the-box log ingestion for the supported devices is fine. The main issues arise when you're trying to ingest a log source that's not supported. You're left to figure it out yourself. You have to figure out the custom parsing yourself. There should be better support for nonstandard log sources. That's because unless you can ingest logs from all of your key controls, the solution will have gaps. Out of the box, this product doesn't support a lot of normal security devices that are common, and then you get into building custom parsers yourself to get it to work.

The other problem is infrastructure stability. The architecture scaling rules that the vendor provides are vastly understated. So, we constantly run into stability problems that we end up figuring out and solving by throwing more infrastructure at it because they're understating the infrastructure requirements. It is understandable that they would do that, and you see why they would do that, but it is causing no end of problems.

We've been using it for about three years.

Scaling is problematic because of the architecture. It is very hard to figure out the required compute, memory, and disk space because the documentation is so bad. Like any SIEM, it is very compute-heavy. So, scaling is always a problem. We've come to the conclusion that it is not scalable to the magnitude that we require.

I have two system administrators at the moment who are a part of my SOC. We have a very small operation. My SOC right now is comprised of two analysts, a senior analyst, and a manager. All of them are technical, and all of them are involved in managing this solution in one way, shape, or form.

We use the product as one of our internal controls. We have several others, which I won't get into, and we do not plan on scaling it beyond that. We have been piloting some customer-facing use cases, and we will be deprecating those, scaling them back, and moving them to the Microsoft product.

Their technical support is really bad. Their account support and product support are fine. I would rate their technical support one out of ten.

Negative

The initial deployment was done with the partner. Since then, we have done additional endpoints and upgrades, and we are doing all the work ourselves now. 

We used a partner to help us with the initial setup.

We are not really tracking ROI. We just view it as a cost of business, and we are not driving any revenue from it. So, it is just a sum cost.

This is probably more on the lower cost end of the spectrum compared to competing products.

Fortinet's license model is based on events per second, which makes sense, but that's not typical. It makes it very hard to calculate what your costs are going to be as you scale the platform because some log sources, such as firewall logs, are very noisy, and there are lots and lots of events per second, but some of them are not. So, it becomes a bit of a science experiment trying to guess what your costs are going to be as you scale the solution. This is where other competing products perhaps have a more straightforward license model.

In terms of additional costs, we also pay for our cloud infrastructure to run it. If your log source is not supported, you're going to have to develop custom parsing. So, you're going to incur that development cost. There is also the normal day-to-day administration cost.

We implemented Fortinet FortiSIEM for our own use, and then we have been exploring the idea of using it for a customer-facing or a managed service provider multi-tenant SIEM. We offer managed SIEM services to our customers, and we've come to the conclusion that it is not well suited for that purpose. We are in the process of installing Microsoft Sentinel and Azure Lighthouse for a new service.

My overall impression is that this is an SMB product. It is not a large-scale enterprise or multi-tenant product. Even though they tell you it'll do that, it is an SMB tool, and it is pretty good for that purpose. However, most institutions would not have the required in-house expertise for it. You need a dedicated, skilled technical administrator. You need your own DevOps team, which small and medium businesses generally don't have, or you can do what we did and use a partner to do the work for you.

I would caution others to fully understand the support model and talk to reference customers about it and have a solid understanding of what their internal resource needs will be to implement and support it. That's because it is complicated. Depending on the product you pick, you would need some in-house technical capabilities. For bigger companies, that's usually not a problem, but for small and medium businesses, that can be a problem.

I would rate it a six out of ten. It is suitable for its purpose. It is targeted at the SMB market. The feature function is fine. I would rate it higher if their technical support was better.

We use Fortinet FortiSIEM for storage of security information and analysis, as well as for alerts from the 50-60 services that we have. All of our webs are linked to FortiSIEM. It's a form of SOC tool and data is used for identifying trends and what's happening around the networks. We're customers and end-to-end users when it comes to FortiSIEM, but for other Fortinet products we're either partners or a value-added reseller. I'm the principal cloud architect in our company. 

I think the most valuable feature is the easy alert setup, it's very important. It's quite simple to use and enables us to have different alerts in different categories. SOC is able to see all the red alerts, it's impossible to miss them. It's a good tool for analysis and for SOC. We upload all network detection tools that support FortiSIEM and can investigate for different alerts or vulnerabilities. A great feature is that you can use Python scripting for data stack. It's great for devices that don't generate a genuine local source of information. 

This solution is not very good on non-API features and lacks that functionality. We've raised multiple tickets to Fortinet about this and they are pending there. The product development hasn't been fast enough to ensure it can function on the cloud. It's excellent when you download and get the security locks but in areas like Microsoft 365, you have to fetch the security access using APIs and they don't update quickly enough. If Microsoft announces a new service today, we have to wait at least six months before FortiSIEM start supporting it. It's crucial that the API support is updated, for now FortiSIEM lacks functionality compared to its competitors.

It's a very reliable solution, we haven't had any outages during the last year and we're using it a lot. We have over 40 people using it 24/7.

This solution is not very scalable if you have a lot of security events; it's focused more around smaller companies. We've become too big for it with 48,000 devices which we are monitoring and we had to create another instance and split things. It's not perfect because it requires purchase of a second license. We use the solution all the time. 

Fortinet support is very fast. If I need to ask something, I'll get a response within a couple of hours. 

The initial setup was quite straightforward. They have good documentation and once we deployed, there were only a couple of times where we needed a little bit of support because there were delayed reactions. 

The licensing is on an annual basis and calculated on the set up number. Of course, the licensing cost could be less but it's not too bad and is quite nicely priced. With Centreon or Splunk you just pay for the use but if we compare the cost of FortiSIEM with Splunk, it's less than half the price.

We took a look at IBM QRadar, which was the main competitor, and we also looked at Splunk. Splunk lost out quickly because of the cost and we ended up going with Fortinet because it was much easier to manage and implement things than QRadar and it has the Python scripting.

If your use case suits this solution, I would recommend it. If you are a professional operator and you're into pre-investing, and not just paying per use, then FortiSIEM is one of the best options you can have.

I rate this product an eight out of 10. 

I use the solution in my company for our client, which is a big university in Tunisia, and they have many servers and virtual machines. The university has to prevent attacks by making sure that they can stop the attack at the beginning. Fortinet is good for knowing if any of the equipment in the network has been attacked like ransomware or something, and we can stop the attack and secure the network.

The tool's most valuable feature stems from the fact that I can see a complete analysis, like all the incidents that have happened, and it detects everything in real-time. It lets you know of the attack in real-time. The tool sends alerts and reports, so I think it is a useful tool.

There is a port in Fortinet FortiSIEM. If something happens, you have to enter events and create a rule to stop the attack, which I think needs to be made automatic. If any incident occurs, I hope that Fortinet FortiSIEM does the work automatically without the intervention of a human or an IT admin.

I don't want to create a rule to stop an attack. Lately, many people have been trying to access the VPN, and they are not even registered with our firewall. The team detects issues but doesn't do anything. I have to create a rule to include the addresses and details of the people who want to access the VPN in the block list, but I want the tool to do all this without me.

I have been using Fortinet FortiSIEM for two months. My company has a partnership with the solution.

It is a stable solution.

The tool is scalable enough to do what you really want.

My clients run big businesses.

The solution's technical support didn't help our company a lot. When it came to Fortinet FortiSIEM, we added the devices, and started making rules, but when we asked a question to the tool's support team, it took them a long time to answer. I rate the technical support a five out of ten.

Neutral

At the beginning the product's initial setup phase was complex. Lately, since I have started to understand the tool, the setup phase has become easy.

The solution is deployed on an on-premises model with VMs in a local data center.

The solution can be deployed in four days. One day is for installing the VMs, one day is for understanding the tool's dashboard and its rules, one day is for installing the agents and adding the equipment, and one day is for seeing what the clients want exactly.

The tool is really expensive. For what the tool does for our team, the price is fair.

As my company did not fully complete everything, the installation is not stable 100 percent.

In terms of Fortinet FortiSIEM's uptime and system stability, the tool can do detection in real-time. I think it is available for users all the time.

Those who have many servers and equipment can use SIEM so they can manage. It helps a person to see what equipment has incidents and how to prevent an attack before it happens. You can't manage much equipment, like 15 VMs or servers, by yourself. You need solutions to do that and give you alerts if anything happens.

As the product is not automated enough, I rate the tool a seven out of ten.

I normally use the solution in my company as part of SOC. The tool is implemented to collect logs from all networks, perimeter devices, and security devices. We are using all kinds of SIEM tools to collect logs, especially security logs from all network devices, and analyze all those logs. Fortinet FortiSIEM works for enterprise and banking customers and BFSI customers, as most of them use Fortinet FortiGate devices for the security of the perimeter devices.

The most valuable features of the solution is its integration with other technologies, especially its ability to collect logs from Cisco and Aruba devices along with Fortinet products. The tool has an endless number of templates, so based on a customer's use case, we can choose the templates, create the report as per compliance, and submit it to management for higher visibility.

With Fortinet's current integrations with endpoints and with the integration capabilities of EDR and XDR solutions from Fortinet itself, when we are trying to integrate them with other technologies or other OEMs like CrowdStrike or SentinelOne, the integration part is very complex. It takes a lot of time to take care of the implementations. When we integrated Fortinet FortiSIEM with external threat intelligence, like CyberArk or ThreatConnect, the integration seemed to be tough. If Fortinet FortiSIEM could create some use cases or some templates with all its listed competitors or technology partners, then a customer would be able to integrate all those technologies easily.

The tool's technical team's response time is too high, and they are not available even when they know that there are many pending issues. Even though the tool offers twenty-four hours and seven days of support, we might not get the right engineer on time.

I have been using Fortinet FortiSIEM for more than ten years. I am an integrator of the solution. I use Fortinet FortiSIEM 7.0.0.

From the application perspective, yeah, I think it is a stable tool most of the time, but we have met some issues with the database sometimes. Stability-wise, I rate the solution a nine out of ten.

It is a highly scalable solution. Scalability-wise, I rate the solution a ten out of ten.

I think around ten customers of my company use the tool.

My customers are medium and enterprise-sized businesses.

The solution's technical support has been a nightmare. I rate the technical support a four or five out of ten.

Neutral

If one is difficult and ten is easy to set up, I rate the product's initial setup phase a nine out of ten. It is not very complicated, but a tech person who has the expertise to install and scale implement all these features would be required to implement the tool.

The product's installation model depends on the company's compliance and IT policies. Most customers prefer implementing an on-premises model. When considering commercial and upfront investment, customers are ready to go for cloud solutions as well. But in my experience, most customers prefer to implement an on-premises model.

The time required to deploy the solution depends on how big your network is currently. It might take two days to up to two weeks, so that is the normal project implementation time. It is always based on how big our network is and how we know our network. If customers have good visibility and understanding of their network, good access, and all the authentication paths, the integration will be much easier. In some cases, it might take more than two weeks. On average, I think it will take one to two weeks to complete installation.

The deployment of the tool is always for the SOC part of a company. It is used for real-time network analytics.

For the deployment, we discuss all the requests or use cases with the customer and understand their network topology. Most of the time, we access their platform for installation, and so we deal with virtualization platforms, like VMware ESXi, and based on that, we will download the SIEM pack from Fortinet. Once the installation has been completed, we try to find all the devices in the network that we need to monitor so we can enable all those processes. It is the normal deployment procedure we are following for implementation. Once the primary implementation has been completed based on customer use cases or complaints, we might create those dashboards and templates for reporting.

If one is cheap and ten is expensive. I rate the tool's price as an eight out of ten. Compared with Splunk or Oracle, Fortinet is cheap.

For threat detection, some AI-based analytics tools are there, and it is one of the latest features in the product. The AI helps mitigate threats.

In terms of the tool's ability to streamline customer security workflow, the product normally searches events in real-time, so customers will get alerts of the event in real-time. Compared to other products like Splunk or Oracle, I think Fortinet FortiSIEM is more reliable in real-time.

If there is proper support and better technical capabilities, it can become a good solution.

I rate the tool an eight out of ten.